AD - A 1 4 1  394  THE  DEPARTMENT  OF  HEALTH  AND  HUMAN  SERVICES'  FIRST-YEAR 
IMPLEMENTATION  OF..(U)  GENERAL  ACCOUNTING  OFFICE 
WASHINGTON  DC  HUMAN  RESOURCES  DIV  09  MAY  84 
UNCLASSIFIED  GAO/HRD-84- 47  F/G  5/11 


MICROCOPY  RESOLUTION  TEST  CHART 

NATIONAL  BUREAU  OF  STANDARDS -1963 -A 


Riff  COW  AD-A141  394 


3Y  THE  U.S.  GENERAL  ACCOUNTING  OFFIC 

( 

Report  To  The  Secretary  Of  ^ 

Health  And  Human  Services 


The  Department  Of  Health  And  Human  Services' 
First-Year  Implementation  Of  The 
Federal  Managers'  Financial  Integrity  Act 


GAO  conducted  a  review  of  22  federal 
agencies’  efforts  to  implement  the  Federal 
Managers'  Financial  Integrity  Act  of  1982. 
The  act  was  intended  to  help  reduce  fraud, 
waste,  and  abuse  across  the  spectrum  of 
federal  government  operations  through 
annual  agency  self-assessments  of  their 
internal  controls  and  accounting  systems. 


This  report  highlights  the  progress  made 
and  problems  encountered  by  the  Depart¬ 
ment  of  Health  and  Human  Services  in  its 
first  year  of  experience  with  this  new  act. 
The  report  focuses  on  the  evaluation  of 
internal  controls,  review  of  accounting  sys¬ 
tems,  and  improvements  being  made  by  the 
Department  as  a  result  of  identified  prob¬ 
lems.  GAO  proposed,  and  the  Department 
agreed  to  take,  several  actions  for  further 
improvement.  . 


/ 


i  io 

ELECTE 
MAY  2  3  1984 


» _  1  i— ~— 


/ 


QAO/HRD-84 
MAY  9,  1! 


05 


United  States  General  accounting  office 

WASHINGTON,  D.C.  2064C 


B-202205 


The  Honorable  Margaret  M.  Heckler 
The  Secretary  of  Health  and 
Human  Services 

Dear  Madam  Secretary: 

This  report  presents  the  results  of  our  review  of  HHS' 
first-year  efforts  to  implement  the  Federal  Managers'  Financial 
Integrity  Act  of  1982.  Our  review  was  made  to  assess  the  ade¬ 
quacy  of  the  Department's  implementation  efforts,  and  to  iden¬ 
tify  possible  improvements  needed  for  subsequent  years'  efforts. 

We  identified  several  areas  where  we  believe  the  Department 
needs  to  refine  its  assessment,  evaluation,  and  reporting  proce¬ 
dures.  in  a  draft  of  this  report,  we  proposed  that  you  take 
several  actions  to  enhance  the  Department's  efforts  to  implement 
the  act.  The  Department  concurred  with  our  proposals  and  agreed 
to  take  action.  Accordingly,  we  are  not  making  recommendations 
to  you  in  this  report,  but  we  plan  to  track  the  Department's 
progress  in  taking  the  action  promised. 

As  pointed  out  in  your  Januar-  24,  1984,  reports  to  the 
President  and  the  Congress,  the  Department  has  not  yet  completed 
a  full  assessment  of  its  internal  control  or  accounting  systems. 
Accordingly,  it  has  not  necessarily  identified  all  significant 
weaknesses.  As  the  Department  progresses  further  in  its  evalua¬ 
tion  processes,  corrects  material  weaknesses  in  internal  control 
and  accounting  systems,  and  makes  the  improvements  it  has  agreed 
to,  we  believe  you  should  have  a  more  meaningful  basis  for  con¬ 
cluding  whether  your  internal  control  and  accounting  systems  are 
operating  as  called  for  in  the  act. 

We  are  sending  copies  of  this  report  to  the  Assistant  Sec¬ 
retaries  for  Health,  Human  Development  Services,  and  Management 
and  Budget)  the  Inspector  General;  the  Acting  Commissioner , 
Social  Security  Administration;  the  Administrator,  Health  Care 


B-202205 


Financing  Administration;  and  the  Director ,  Office  of  Management 
and  Budget.  Copies  are  also  being  sent  to  the  Chairmen  of  the 
Senate  Committees  on  Appropriations  and  Governmental  Affairs  and 
the  House  Committees  on  Appropriations  and  Government  Opera¬ 
tions. 

We  appreciate  the  cooperation  and  assistance  given  to  us  by 
HHS  and  component  personnel  during  our  review. 

Sincerely  yours. 


Richard  L.  Fogel 
Director 


GENERAL  ACCOUNTING  OFFICE 
REPORT  TO  THE  SECRETARY  OF 
HEALTH  AND  HUMAN  SERVICES 


THE  DEPARTMENT  OF  HEALTH 
AND  HUMAN  SERVICES' 
FIRST-YEAR  IMPLEMENTATION 
OF  THE  FEDERAL  MANAGERS' 
FINANCIAL  INTEGRITY  ACT 


DIGEST 

The  Department  of  Health  and  Human  Services 
(HHS)  has  made  progress  in  its  first-year 
efforts  to  implement  the  Federal  Managers' 
Financial  Integrity  Act  of  1982  (31  U.S.C. 
3512).  Under  the  act,  heads  of  executive 
agencies  must  report  annually  to  the  Presi¬ 
dent  and  the  Congress  on  whether  their  agen¬ 
cies'  systems  of  internal  accounting  and 
administrative  control  comply  with  the  statu¬ 
tory  internal  control  objectives  and  with 
standards  prescribed  by  the  Comptroller 
General.  Reports  on  internal  controls  must 
be  based  on  evaluations  conducted  in  accord¬ 
ance  with  guidelines  established  by  the  Of¬ 
fice  of  Management  and  Budget  (OMB).  A  sepa¬ 
rate  report  must  be  prepared  on  whether  the 
agency's  accounting  systems  conform  to  the 
Comptroller  General's  accounting  principles 
and  standards.  Although  OMB  is  not  required 
to  provide  evaluation  guidelines  for  review¬ 
ing  accounting  systems,  it  intends  to  do  so. 

GAO  recognizes  that  these  were  the  Depart¬ 
ment's  first-year  efforts  of  a  difficult, 
complex,  and  long-term  undertaking.  GAO  be¬ 
lieves  its  findings  should  be  viewed  in  light 
of  the  Department's  efforts  to  implement  the 
act  before  evaluation  guidelines  were  avail¬ 
able  and  with  the  recognition  that  problems 
are  to  be  expected  during  the  start  of  any 
new  major  initiative. 

POSITIVE  STEPS  TAKEN 

To  implement  its  internal  control  evaluation 
and  improvement  effort,  HHS  essentially  fol¬ 
lowed  the  sequence  of  steps  established  by 
OMB,  including  (1)  organizing  to  implement 
the  act  by  taking  such  actions  as  assigning 
responsibility  at  high  levels}  (2)  segmenting 
itself  into  internal  control  areas,  which  are 
established  for  each  significant  function 


Ter  Wit 


i  GAO/HRD- 84-47 

MAY  9.  1994 


performed  by  each  organizational  unit;  (3) 
assessing  the  vulnerability  of  its  internal 
control  areas  to  loss,  unauthorized  use  of 
resources,  or  illegal  acts;  (4)  conducting 
internal  control  reviews  to  determine  whether 
adequate  control  measures  exist  and  are  work¬ 
ing  effectively;  (5)  tracking  control  weak¬ 
nesses  identified  and  corrective  actions 
taken  or  planned;  and  (6)  reporting  on  the 
status  of  its  internal  control  systems  and 
any  material  internal  control  weaknesses.  In 
addition,  for  performing  accounting  systems 
reviews,  HHS  assigned  responsibilities  and 
developed  policies  and  procedures.  HHS  con¬ 
ducted  reviews  of  10  of  the  22  systems  it 
identified,  and  reported  the  results. 

HHS*  GUIDANCE  ON  SEGMENTATION 
NEEDS  TO  BE  REFINED 

OMB  guidelines  provide  that  agencies  segment 
themselves  into  internal  control  areas  to 
provide  complete  coverage  of  all  program  and 
administrative  activities  so  that  vulnera¬ 
bility  assessments  of  each  area  can  be  made. 
HHS'  segmentation  process  identified  16 
functions— such  as  travel,  grants,  and  pro¬ 
curement  and  purchasing — which  it  believed 
covered  all  of  the  significant  activities 
performed  in  that  agency  (see  p.  41).  About 
6,200  internal  control  areas  were  then  iden¬ 
tified.  However,  some  internal  control  areas 
which  should  have  been  included  were  missed. 
This  occurred  for  essentially  three  reasons. 

— First,  HHS'  list  of  16  functions  was  not 
complete.  For  example,  because  the  list 
did  not  contain  a  separate  functional  area 
for  research,  the  National  Institutes  of 
Health  did  not  identify  internal  control 
areas  for  research  conducted  in-house. 

— Second,  HHS'  instructions  to  its  component 
agencies  on  segmenting  do  not  clearly  de¬ 
fine  significant  responsibility  for  pur¬ 
poses  of  establishing  internal  control 
areas.  For  example,  because  of  this  lack 
of  clarity,  the  Social  Security  Administra¬ 
tion  (SSA)  excluded  the  functions  of 


i 


ii 


travel  and  personnel  from  its  inventory 
of  internal  control  areas  for  all  head¬ 
quarters  and  field  organizational  units 
except  for  one  office,  even  though  many 
units  had  significant  responsibility  for 
these  activities. 

— Third,  descriptions  of  many  internal 
control  areas  were  so  general  that  the 
scope  of  activities  to  be  assessed  for 
vulnerability  were  not  clear  or  could  not 
be  determined  either  by  persons  performing 
such  assessments  or  by  GAO.  One  of  the 
Health  Care  Financing  Administration's 
(HCFA's)  major  responsibilities — monitoring 
the  propriety  of  Medicare  and  Medicaid 
payments — was  so  generally  described  as 
part  of  an  internal  control  area  that 
the  person  who  was  responsible  for 
performing  the  assessment  of  the  area 
did  not  consider  it.  (See  p.  13.) 

CHANGES  ARE  NEEDED  IN 

Hits'1  mrifififisrcff? — 

ASSESSMENT  PROCESS 


HHS  developed  guidelines  and  assessment  forms 
for  performing  vulnerability  assessments  of 
its  internal  control  areas.  However,  the 
resulting  assessments  were  not  a  reliable 
basis  for  scheduling  and  guiding  subsequent 
internal  control  reviews.  This  occurred  for 
a  number  of  reasons: 

— HHS'  assessment  forms  did  not  include  all 
the  factors  OMB  considers  necessary  for 
making  adequate  vulnerability  assessments. 
Excluded  were  such  factors  as  program  size 
and  a  preliminary  evaluation  of  existing 
safeguards.  (See  p.  19.) 

— The  scoring  system  used  by  HHS  on  its 

standard  assessment  form  was  biased  against 
achieving  highly  vulnerable  ratings.  There 
was  no  provision  for  weighting  the  factors 
according  to  their  relative  importance  to 
the  internal  control  area  being  assessed, 
and  many  assessors  rated  items  that  were 


iii 


not  applicable  as  having  low  vulnera¬ 
bility.  This  skewed  overall  ratings  in 
several  cases  toward  low  or  moderate 
vulnerability.  (See  p.  20.) 

— Some  assessment  forms  were  inaccurately 
completed.  For  example,  in  some  cases  the 
results  of  GAO  or  inspector  General  audits 
were  not  reflected  on  HHS'  standard  assess¬ 
ment  form,  in  addition,  the  SSA  internal 
control  officer  discounted  the  309  highly 
vulnerable  ratings  reported  on  an  abbrevi¬ 
ated  assessment  form  used  by  SSA  because  of 
variances  in  how  the  forms  were  prepared. 
(See  pp.  19,  22,  and  23.) 

— Some  preparers  of  vulnerability  assessments 
received  little  or  no  training  and  said 
they  would  have  rated  their  areas  differ¬ 
ently  had  they  known  more  about  the 
process.  (See  p.  23.) 

In  addition  to  correcting  these  problems,  GAO 
believes  HHS  can  further  improve  its  vulner¬ 
ability  assessment  process  by  requiring  that 
preparers  describe  the  basis  for  scores  and 
ratings  assigned,  even  though  this  is  not 
specifically  provided  for  by  OMB.  This  would 
provide  needed  information  to  reviewers  for 
conducting  internal  control  reviews  and  to 
management  for  taking  other  appropriate  ac¬ 
tions.  (See  p.  21.) 

GAO  also  believes  that  HHS'  vulnerability 
assessment  process  should  include  a  system¬ 
atic  approach  for  identifying  known  weak¬ 
nesses  contained  in  GAO,  Inspector  General, 
and  other  reports  and  for  entering  these 
weaknesses  in  its  tracking  system  for 
possible  inclusion  in  its  year-end  report. 
(See  p.  22.) 

HHS'  INTERNAL  CONTROL 
AND  ACCOUNTING  SYSTEMS 
REVIEW  METHODOLOGY  NEEDS 
TO  BE  IMPROVED 

Although  HHS  conducted  1,135  internal  control 
reviews  during  the  first  year,  these  reviews 
did  not  always  result  in  adequate  evaluations 
of  internal  controls.  This  is  due  to  the 


fact  that  about  870  of  these  were  ongoing 
efforts  at  SSA  which  were  substituted  for  new 
reviews  and  as  such  were  not  intended  to  ac¬ 
complish  all  of  the  objectives  of  new  re¬ 
views.  For  example,  SSA  did  not  evaluate  the 
general  control  environment.  In  addition, 
HHS’  guidelines  for  conducting  new  internal 
control  reviews  did  not  require  performance 
of  all  steps  prescribed  in  0MB  guidelines. 

Many  of  the  internal  control  reviews  GAO  ex¬ 
amined  missed  important  evaluation  factors 
included  in  0MB  guidelines — such  as  an  evalu¬ 
ation  of  the  appropriateness  of  controls  and 
such  general  control  environment  factors  as 
management  attitude  and  budgeting  and  report¬ 
ing  practices — and  did  not  adequately  docu¬ 
ment  the  review  procedures  performed.  Some 
reviews  were  too  limited  in  soope  because 
they  missed  evaluating  internal  controls  over 
important  functional  activities  within  an 
internal  control  area.  For  example,  at  SSA, 
controls  over  receipts  for  services  provided 
to  other  agencies  which  amounted  to  $5.2  mil¬ 
lion  in  fiscal  year  1982,  were  not  included 
in  the  review  of  the  sales  function  at  head¬ 
quarters.  (See  p.  25.) 

HHS'  written  procedures  for  evaluating  its 
accounting  systems  appeared  reasonable.  How¬ 
ever,  HHS'  evaluations  did  not  fully  comply 
with  its  procedures,  and  consequently  were 
inadequate  to  properly  determine  whether  the 
10  systems  evaluated  complied  with  the  Comp¬ 
troller  General's  principles  and  standards. 
Very  little  testing  was  done  for  six,  and 
testing  for  the  other  four  involved  a  limited 
examination  of  a  few  transactions  and  did  not 
cover  all  of  the  Comptroller  General's  prin¬ 
ciples  and  standards.  In  addition,  no  docu¬ 
mentation  was  available  for  reviews  of  six 
systems  to  show  methods  used  or  to  explain 
instances  of  noncompliance,  and  incomplete 
information  was  available  for  four  systems  on 
the  testing  done  and/or  basis  for  the  conclu¬ 
sions  reached.  (See  p.  37.) 


BETTER  COVERAGE  OP  AUTOMATIC 
DATA  PROCESSING  ACTIVITIES’ 

IS  NEEDED 


HHS  essentially  excluded  automatic  data  pro¬ 
cessing  (ADP)  activities  from  its  vulner¬ 
ability  assessment  and  internal  control  re¬ 
view  processes.  Instead,  it  relied  on  the 
results  of  its  ongoing  ADP  security  review 
program  conducted  under  OMB  Circular  A-71 
(Transmittal  No.  1,  Security  of  Federal  Auto¬ 
mated  Information  Systems)  to  accomplish  the 
objectives  of  the  Financial  Integrity  Act. 

The  procedures  HHS  followed  under  its  ADP 
security  review  program,  however,  did  not 
address  many  of  the  factors  considered  neces¬ 
sary  by  OMB's  internal  control  guidelines, 
such  as  the  preliminary  evaluation  of  safe¬ 
guards  and  the  consideration  of  the  general 
control  environment;  and  the  evaluations  GAO 
reviewed  were  generally  limited  to  the  physi¬ 
cal  security  of  ADP.  They  did  not  generally 
include  controls  over  ADP  systems  to  produce 
accurate,  complete,  and  timely  output,  as 
provided  for  in  OMB's  guidelines.  (See  p. 
32.) 

OTHER  ASPECTS  OF 
THE  EVALUATION  PROCESS 
NEED  IMPROVEMENT 

HHS  could  further  improve  its  implementation 
efforts  by  providing  (1)  additional  monitor¬ 
ing  of  the  validity  of  the  segmentation, 
vulnerability  assessment,  and  internal  con¬ 
trol  and  accounting  system  review  processes 
and  (2)  additional  training  on  the  objectives 
of  and  procedures  for  doing  these  processes. 
Systematic,  department-wide  monitoring  ef¬ 
forts  were  limited  and  did  not  fully  cover 
all  important  aspects  of  the  Department's 
implementation  efforts.  (See  p.  30.)  Train¬ 
ing  that  was  provided  was  not  always  adequate 
to  provide  a  full  understanding  of  the  objec¬ 
tives  of  the  evaluation  process  or  how  to 
perform  assessment  or  review  procedures. 

(See  p.  31.) 


vi 


YEAR-END  REPORTS 
SHOULD  BE  MORE  COMPLETE 


The  Secretary  reported  on  January  24,  1984, 
that  she  had  reasonable  assurance  that  the 
Department's  internal  controls  in  effect  dur¬ 
ing  calendar  year  1983,  taken  as  a  whole, 
were  operating  as  called  for  by  the  act  and 
that  the  Department's  eight  general  ledger 
and  two  payroll  systems  operating  during 
1983,  also  taken  as  a  whole,  conformed  in  all 
material  respects  to  the  appropriate  princi¬ 
ples  and  standards. 

A  total  of  200  material  weaknesses  in  inter¬ 
nal  controls,  such  as  inadequate  controls  to 
prevent  grantees  from  maintaining  excessive 
cash  balances,  disclosed  during  HHS'  evalua¬ 
tion  were  reported  by  the  Secretary.  She 
also  reported  that  corrective  actions  have 
been  taken  for  78  of  the  weaknesses  and  a 
goal  was  established  to  correct  the  others  by 
December  31,  1984.  In  the  accounting  systems 
area,  23  instances  of  nonconformance  were  re¬ 
ported  for  which  corrective  action  plans  were 
developed  and  being  implemented. 

The  Department  took  the  position  that  its 
year-end  reports  only  had  to  contain  those 
material  internal  control  weaknesses  which 
were  specifically  identified  in  its  internal 
control  reviews.  HHS  took  a  similar  position 
with  respect  to  its  accounting  systems  re¬ 
port.  Therefore,  other  internal  controls  or 
accounting  systems  problems  identified  in 
previous  GAO,  Inspector  General,  and  agency 
contractor  reports  were  not  included. 

GAO  believes  that  some  of  these  weaknesses 
which  remain  uncorrected  are  more  material 
than  many  of  those  reported  by  HHS  and  should 
have  been  included  in  its  year-end  report. 

For  example,  HHS  did  not  report  weaknesses  in 
internal  controls  over  benefit  payments  at 
HCFA  that  resulted  in  the  agency's  paying  for 
medically  unnecessary  services  provided  to 
beneficiaries  or  that  internal  controls  are 
inadequate  at  SSA  to  prevent  erroneous  wage 
data  from  getting  into  its  wage  data  base. 


vii 


However,  HHS  did  report  that,  in  one  regional 
office,  small  equipment  which  was  open  to 
theft  was  not  marked  with  identifying 
numbers . 

GAO  PROPOSALS  AND 
AGENCY  COMMENTS 

In  a  draft  of  this  report,  GAO  proposed  that 
the  Secretary  take  several  actions  to  improve 
the  Department's  internal  control  and  ac¬ 
counting  systems  evaluations  and  reporting . 
These  proposals  included: 

— Refining  guidance  and  instructions  on  iden¬ 
tifying  and  describing  internal  control 
areas  to  attain  more  complete  coverage  of 
agency  functions.  (See  p.  16.) 

— Developing  new  vulnerability  assessment 
forms  which  will  result  in  more  accurate 
and  meaningful  assessments  and  will  include 
a  written  explanation  of  the  reasons  for 
the  ratings  given.  (See  p.  24.) 

— Requiring  that  all  internal  control  reviews 
(or  approved  substitutes)  be  performed  in 
accordance  with  OMB  guidelines  and  that 
accounting  systems  reviews  include  adequate 
testing  of  the  systems  and  documentation  of 
the  results  of  the  reviews.  (See  p.  29.) 

— Providing  for  adequate  assessments  and  re¬ 
views  of  ADP  activities.  (See  p.  35.) 

— Providing  more  training  on  the  objectives 
of  the  segmentation,  vulnerability  assess¬ 
ment,  and  internal  control  review  processes 
and  procedures  to  be  followed  and  addi¬ 
tional  monitoring  of  the  internal  control 
evaluation  and  improvement  effort.  (See 
p.  35.) 

— Requiring  that  internal  control  and  ac¬ 
counting  systems  weaknesses  identified  by 
GAO,  the  inspector  General,  and  others 
outside  the  internal  control  or  accounting 
system  evaluation  processes  be  given  rec¬ 
ognition  in  the  vulnerability  assessment 
process  and  year-end  reports.  (See  pp.  24 
and  39.) 


In  commenting  on  the  draft  report  (see  app. 
VI.)#  the  Department  agreed  to  take  the  cor¬ 
rective  actions  GAO  proposed.  Accordingly, 
GAO  is  not  making  recommendations  to  the  De¬ 
partment  but  plans  to  track  HHS ’  progress  in 
taking  the  promised  corrective  actions. 

In  March  1984,  HHS  announced  a  reorganization 
within  the  Office  of  the  Secretary.  As  part 
of  this  effort  HHS  plans  to  reduce  the  role 
of  the  Office  of  the  Assistant  Secretary  for 
Management  and  Budget  in  providing  technical 
assistance,  policy  development,  and  monitor¬ 
ing  relative  to  the  Financial  Integrity  Act. 
HHS  plans  for  the  Office  of  Inspector  General 
to  assume  principal  responsibility  for  moni¬ 
toring  the  Department's  efforts  under  the 
act. 

The  full  effects  of  this  reorganization  are 
not  yet  apparent.  GAO  will  track  the  effect 
of  this  change  during  its  review  of  HHS' 
second-year  efforts  under  the  act.  GAO  will 
look  closely  at  the  number  of  staff  avail¬ 
able,  their  expertise,  and  the  nature  of  the 
relationship  between  the  Secretary's  Office 
and  the  Office  of  inspector  General,  espe¬ 
cially  as  it  relates  to  the  smooth  develop¬ 
ment  and  implementation  of  consistent  poli¬ 
cies  and  procedures  throughout  the  Depart¬ 
ment  . 


Tot  Stott 


i  *y»'i 


Contents 


DIGEST 

CHAPTER 


i 


1  INTRODUCTION  1 

Overview  of  HHS '  first-year  efforts  3 

Objectives,  scope,  and  methodology  9 

2  ADDITIONAL  GUIDANCE  NEEDED  ON  IDENTIFICATION 

OF  INTERNAL  CONTROL  AREAS  13 

All  significant  HHS  activities 

were  not  inventoried  13 

Internal  control  area  descriptions 

were  too  general  15 

Need  to  reevaluate  size  of  internal 
control  area  covering  two 

significant  programs  16 

Proposed  corrective  actions  and  HHS* 

response  16 

3  VULNERABILITY  ASSESSMENT  PROCESS  NEEDS 

IMPROVEMENT  18 

HHS '  guidance  does  not  provide  for 

comprehensive  assessments  19 

The  scoring  system  is  biased  against 

achieving  a  highly  vulnerable  rating  20 

Explanations  of  scores  are  not  required  21 

Weaknesses  identified  in  external  reports 
were  sometimes  overlooked  in  vulner¬ 
ability  assessments  22 

HHS  does  not  record  weaknesses  iden¬ 
tified  in  the  assessment  process  22 

Other  conditions  raise  questions  about 

the  validity  of  assessment  results  23 

Proposed  corrective  actions  and  HHS ' 

response  24 

4  IMPROVEMENTS  ARE  NEEDED  IN  HHS'  INTERNAL 

CONTROL  REVIEWS  25 

ICRs  did  not  evaluate  all  important 

factors  25 

Some  ICRs  did  not  evaluate  all  controls 

included  in  the  internal  control  area  27 

Need  for  better  documentation  of  ICRs  28 

Proposed  corrective  actions  and  HHS ' 
response 


29 


CHAPTER 


5  OTHER  IMPROVEMENTS  NEEDED  IN  HHS ' 

INTERNAL  CONTROL  EFFORTS  30 

Monitoring  efforts  need  to  be  improved  30 

Additional  training  could  improve 

implementation  of  the  act  31 

ADP  activities  were  not  adequately 

considered  and  evaluated  32 

HHS*  year-end  report  hould  be  improved  34 

Proposed  corrective  actions  and  HHS ' 

response  35 

6  IMPROVEMENTS  ARE  NEEDED  IN  HHS'  REVIEWS 

OF  ACCOUNTING  SYSTEMS  37 

More  and  better  testing  of  accounting 

systems  is  needed  37 

Better  documentation  of  accounting 

system  reviews  needed  37 

Monitoring  needed  38 

All  significant  known  problems  should 

be  reported  38 

Proposed  corrective  actions  and  HHS ' 

response  39 

APPENDIX 

I  Department  of  Health  and  Human  Services' 

operating  and  staff  divisions  40 

II  Department  of  Health  and  Human  Services ' 

16  internal  control  functional  areas  41 

III  Department  of  Health  and  Human  Services' 

vulnerability  assessment  model  44 

IV  Social  Security  Administration's  abbreviated 

7  vulnerability  assessment  form  46 

V  Examples  of  material  weaknesses  and  correc¬ 
tive  measures  reported  by  HHS  47 

VI  Agency  comments  53 


ABBREVIATIONS 


ADP  automatic  data  processing 

ASNB  Office  of  the  Assistant  Secretary  for  Management  and 

Budget 

CDC  Centers  for  Disease  Control 

GAO  General  Accounting  Office 

HCFA  Health  Care  Financing  Administration 

HHS  Department  of  Health  and  Human  Services 

ICO  internal  control  officer 

ICR  internal  control  review 

N/A  not  applicable 

OCS  Office  of  Community  Services 

OHDS  Office  of  Human  Development  Services 

OIG  Office  of  Inspector  General 

OMB  Office  of  Management  and  Budget 

PHS  Public  Health  Service 

RASC  Regional  Administrative  Support  Center 

SSA  Social  Security  Administration 

VA  vulnerability  assessment 


CHAPTER  1 


INTRODUCTION 


Responding  to  continuing  disclosures  of  fraud,  waste,  and 
abuse  across  a  wide  spectrum  of  government  operations,  which 
were  largely  attributable  to  serious  weaknesses  in  agencies' 
internal  controls,  the  Congress  in  August  1982  passed  the  Fed¬ 
eral  Managers'  Financial  Integrity  Act  (31  U.S.C.  3512(b)  and 
(c)).  The  law  was  enacted  to  strengthen  the  existing  require¬ 
ment  of  the  Accounting  and  Auditing  Act  of  1950  that  executive 
agencies  establish  and  maintain  systems  of  accounting  and  inter¬ 
nal  control  in  order  to  provide  effective  control  over,  and 
accountability  for,  all  funds,  property,  and  other  assets  for 
which  the  agency  is  responsible  (31  U.S.C.  3512(a)(3)). 

We  believe  that  full  implementation  of  the  Financial  Integ¬ 
rity  Act  will  enable  the  heads  of  federal  departments  and  agen¬ 
cies  to  identify  their  major  internal  control  and  accounting 
problems  and  improve  controls  essential  to  the  development  of  an 
effective  management  control  system  and  a  sound  financial  man¬ 
agement  structure  for  their  agencies.  To  achieve  these  ends  the 
act  requires 

—each  executive  agency  to  establish  and  maintain  its  in¬ 
ternal  controls  in  accordance  with  the  standards  pre¬ 
scribed  by  the  Comptroller  General,  so  as  to  reasonably 
assure  that;  (1)  obligations  and  costs  comply  with 
applicable  law;  (2)  all  funds,  property,  and  other  assets 
are  safeguarded  against  waste,  loss,  unauthorised  use,  or 
misappropriation;  and  (3)  revenues  and  expenditures  ap¬ 
plicable  to  agency  operations  are  recorded  and  properly 
accounted  for. 

— each  executive  agency  to  evaluate  and  report  annually  on 
internal  control  systems.  The  report  is  to  state  whether 
agency  systems  of  internal  control  comply  with  the  objec¬ 
tives  of  internal  controls  set  forth  in  the  act  and  with 
the  standards  prescribed  by  the  Comptroller  General.  The 
act  also  provides  for  agency  reports  to  identify  the 
material  weaknesses  involved  and  describe  the  plans  for 
corrective  action. 

— each  executive  agency  to  prepare  a  separate  report  on 
whether  the  agency's  accounting  systems  conform  to  prin¬ 
ciples,  standards,  and  related  requirements  prescribed 
by  the  Comptroller  General. 


— the  Office  of  Management  and  Budget  (OMB)  to  issue  guide¬ 
lines  for  each  executive  agency  to  use  in  evaluating  its 
internal  control  systems.  These  guidelines  were  issued 
in  December  1982. 

— the  Comptroller  General  to  prescribe  standards  for  fed¬ 
eral  agencies*  internal  control  systems.  The  Comptroller 
General  issued  these  standards  covering  both  program  and 
financial  management  in  June  1983. 

The  Financial  Integrity  Act  requires  that  each  executive 
agency  use  the  guidelines  established  by  OMB  to  evaluate  and  de¬ 
termine  the  compliance  of  its  systems  of  internal  control  with 
standards  prescribed  by  the  Comptroller  General.  The  OMB  guide¬ 
lines  provide  agencies  with  a  basic  systematic  approach  for 
evaluating,  improving,  and  reporting  on  their  internal  controls 
comprising  seven  phases: 

— Organizing  the  process.  This  includes  the  assignment  of 
responsibilities  for  planning,  directing,  and  controlling 
the  process  and  the  development  of  an  information  system 
that  provides  for  tracking  the  status  of  evaluations  and 
corrective  actions. 

— Segmenting  the  agency  into  organizational  components  and 
then  identifying  the  programs  and  administrative  func¬ 
tions  conducted  in  each  component. 

— Assessing  each  program  or  function  identified  in  the  seg¬ 
menting  phase  for  vulnerability  to  waste,  loss,  unauthor¬ 
ized  use,  or  misappropriation  of  funds,  property,  or 
other  assets  and  then  deciding  which  programs  or  func¬ 
tions  are  the  most  vulnerable. 

— Developing  plans  and  schedules  for  the  performance  of 
internal  control  reviews  (ICRs)  and  other  actions. 

—Reviewing  the  internal  controls  to  determine  whether  ade¬ 
quate  control  measures  exist  and  are  functioning  as  in¬ 
tended  . 

—Determining,  scheduling,  and  taking  necessary  corrective 
actions. 

— Preparing  the  annual  statement  to  the  President  and  the 
Congress  on  the  status  of  the  agency's  system  of  internal 
control . 

The  Department  of  Health  and  Human  Services  (HHS)  is  1  of 
22  federal  agencies  we  evaluated  to  assess  the  processes  used  to 
implement  the  act  during  the  first  year. 


OVERVIEW  OF  HHS 1 
FIRST-YEAR  EFFORTS 


The  Department's  efforts  under  the  Financial  Integrity  Act 
are  made  up  of  two  initiatives.  The  first  is  directed  at  evalu¬ 
ating,  improving,  and  reporting  on  the  Department's  systems  of 
internal  control  and  is  intended  to  meet  the  requirements  of 
section  2  of  the  act — financial  and  accounting  controls.  The 
second  initiative  is  directed  at  determining  and  reporting  on 
whether  its  accounting  systems  are  in  compliance  with  the  Comp¬ 
troller  General's  accounting  principles  and  standards  and  is 
intended  to  meet  the  requirements  of  section  4  of  the  act — 
accounting  systems. 

Internal  control  systems 

HHS  began  its  internal  control  improvement  efforts  in  re¬ 
sponse  to  OMB  Circular  A-123,  which  was  issued  in  October  1981. 
Many  of  HHS'  policies  and  procedures  for  its  internal  control 
programs  were  established  before  the  issuance  of  OMB's  December 
1982  internal  control  guidelines.  Although  there  are  differ¬ 
ences  between  HHS'  policies  and  procedures  and  OMB's  guidelines, 
the  phases  of  HHS*  internal  control  evaluation  and  improvement 
process  generally  parallel  those  set  forth  in  OMB's  guidelines. 
Following  is  a  description  of  the  steps  taken  and  progress  made 
by  HHS  to  implement  its  internal  control  improvement  program. 

Organizing 

On  March  8,  1982,  the  then  Secretary  of  HHS  expressed  his 
support  for  a  concerted  effort  to  identify,  evaluate,  and  moni¬ 
tor  existing  internal  controls.  He  designated  the  Assistant 
Secretary  for  Management  and  Budget  as  the  Internal  Control  Man¬ 
ager  for  the  Department.  The  Assistant  Secretary  was  delegated 
authority  to  issue  directives,  monitor  and  evaluate  performance, 
and  advise  the  Secretary  on  the  status  of  internal  controls. 

The  Assistant  Secretary  appointed  an  Internal  Control 
Steering  Committee  composed  of  representatives  from  the  Office 
of  the  Assistant  Secretary  for  Management  and  Budget  ( ASMB ) ,  the 
Office  of  inspector  General  (OIG),  and  the  Office  of  the  Assist¬ 
ant  Secretary  for  Personnel  Administration.  The  purpose  of  the 
committee  is  twofold:  (1)  to  determine  the  overall  department¬ 
wide  approach  for  implementing  the  internal  control  aspects  of 
OMB  Circular  A-123  and  subsequently  of  the  Financial  Integrity 
Act  and  (2)  to  provide  advice  and  detailed  technical  assistance. 
In  addition,  ASMB  assigned  staff  to  (1)  provide  technical  exper¬ 
tise  in  developing  the  Department's  overall  approach,  (2)  pro¬ 
vide  quality  control  through  monitoring  and  evaluation,  and 
(3)  initiate  the  development  of  a  computerized  tracking  system. 


3 


The  Secretary  also  assigned  to  the  head  of  each  operating 
and  staff  division  (see  app.  I)  the  responsibility  for  assuring 
that  internal  controls  are  employed  in  all  aspects  of  his  or  her 
organization.  Each  operating  and  staff  division  head  appointed 
an  internal  control  officer  (ICO)  to  assure  that  directives 
issued  by  ASMB  were  properly  implemented. 

In  addition  to  providing  technical  assistance  through  the 
Internal  Control  Steering  Committee ,  the  OIG  monitored  the  De¬ 
partment's  efforts  to  implement  the  Financial  Integrity  Act.  As 
a  part  of  its  monitoring  activities,  the  OIG  evaluated  a  sample 
of  completed  internal  control  reviews  and  accounting  systems 
evaluations.  In  his  December  12,  1983,  report  to  the  Assistant 
Secretary  for  Management  and  Budget,  the  Inspector  General  indi¬ 
cated  that  the  Department  had  taken  aggressive  action  to  imple¬ 
ment  both  the  internal  control  and  accounting  system  aspects  of 
the  act  and  identified  a  number  of  problems  that  required  atten¬ 
tion. 

In  November  1983,  the  Assistant  Secretary  for  Personnel  Ad¬ 
ministration  indicated  that  members  of  the  Senior  Executive 
Service  and  employees  covered  by  merit  pay  who  have  significant 
management  responsibility  should  have  performance  agreements 
that  require  fulfillment  of  their  internal  control  responsibili¬ 
ties.  Guidelines  were  issued  on  how  to  accomplish  this  task. 

In  March  1984,  HHS  announced  a  reorganization  within  the 
Office  of  the  Secretary,  including  a  "streamlining"  of  ASMB.  As 
part  of  this  streamlining  effort,  HHS  plans  to  reduce  ASMB's 
technical  assistance,  policy  development,  and  monitoring  roles 
relative  to  the  Financial  Integrity  Act.  HHS*  plan  calls  for 
OIG  to  assume  the  principal  monitoring  responsibility  for  the 
Department's  efforts  under  the  act.  However,  the  full  effects 
of  the  HHS  streamlining  plan  on  the  management  and  operation  of 
the  Department's  Financial  Integrity  Act  effort  were  not  clear 
as  of  April  1984.  We  intend  to  track  this  during  our  review  of 
HHS'  second-year  efforts  under  the  act. 


The  Secretary  determined  that  due  to  the  large  size  (i.e., 
fiscal  year  1983  budget  of  about  $274  billion  and  approximately 
142,000  employees  at  2,830  locations)  and  extreme  complexity  of 
HHS,  the  most  effective  manner  of  segmenting  the  Department  was 
to  separate  it  into  major  organizational  components  and  have 
each  component  segment  its  operations,  assuming  16  functions  are 
performed  in  the  Department  (see  app.  II).  If  ICOs  identified 
additional  functions,  they  could  add  them  to  the  Department's 
list  of  16.  However,  no  additional  functions  were  identified. 


The  basic  segmentation  methodology  was  to  identify  all  or¬ 
ganisational  components  down  to  a  specified  level  which  have 
significant  responsibility  for  1  or  more  of  the  16  functions. 

An  "internal  control  area"  was  to  be  established  for  each  signi¬ 
ficant  function  performed  by  each  organizational  component. 

This  process  resulted  in  the  identification  of  6,238  internal 
control  areas.  For  example,  13  internal  control  areas  were  es¬ 
tablished  at  the  National  Cancer  Institute.  One  was  established 
for  each  of  the  functions  of  general  policy  and  direction,  in¬ 
ventories,  budget  planning  and  formulation,  receivables,  budget 
execution,  travel,  and  records  systems.  Two  internal  control 
areas  were  established  for  each  of  the  functions  of  procurement 
and  purchasing,  personnel,  and  grants. 

Each  internal  control  area  was  described  on  an  inventory 
sheet  which  shows  the  function  covered,  the  organizational  com¬ 
ponent,  and  the  name  of  the  official  who  is  responsible  for  as¬ 
suring  that  internal  controls  are  in  place  and  working  properly. 
The  inventory  sheet  is  also  to  contain  a  description  of  the 
scope  of  the  organization  covered,  including  quantifiable  fac¬ 
tors,  such  as  dollars  and/or  volume. 

Vulnerability  assessments 

HHS  defines  a  vulnerability  assessment  (VA)  as  a  review  of 
the  susceptibility  of  an  internal  control  area  to  loss  or  un¬ 
authorized  use  of  resources,  errors  in  reports  and  information, 
illegal  or  unethical  acts,  and/or  adverse  or  unfavorable  public 
opinion.  Two  methodologies  were  used  to  perform  the  assess¬ 
ments.  ASMB  developed  a  standard  HHS  methodology  and  VA  form 
(see  app.  Ill)  which  was  used  throughout  HHS  to  perform  approxi¬ 
mately  2,100  VAs.  In  addition,  the  Social  Security  Administra¬ 
tion  (SSA)  developed,  and  ASMB  approved,  an  abbreviated  method¬ 
ology  and  form  (see  app.  IV)  which  was  used  to  perform  approxi¬ 
mately  4,100  VAs  at  SSA  field  offices  (district  offices,  branch 
offices,  and  teleservice  centers). 

Completed  VAs  were  to  be  reviewed  and  approved  by  the  ap¬ 
propriate  ICOs.  If  in  the  professional  judgment  of  the  ICO 
there  were  conditions  or  circumstances  that  made  internal  con¬ 
trol  areas  highly  vulnerable,  but  they  were  not  originally  rated 
as  such,  he/ she  could  "override"  the  ratings  assigned.  Of  HHS' 
6,238  VAs,  419,  or  about  7  percent,  were  rated  highly  vulner¬ 
able;  1,651,  or  26  percent,  moderately  vulnerable;  and  4,168,  or 
67  percent,  were  rated  as  having  low  vulnerability.  According 
to  HHS,  ICOs  overrode  assessments  initially  rated  as  low  or 
moderate  in  about  100,  or  about  1.6  percent,  of  the  cases. 


Internal  control  reviews 


HHS  defines  an  ICR  as  a  detailed  examination  of  an  internal 
control  area  to  determine  whether  adequate  control  measures 
exist  and  are  implemented  to  prevent  or  detect  the  occurrence  of 
potential  risks.  HHS'  policy  requires  that  all  areas  assessed 
as  highly  vulnerable  (including  overrides)  be  reviewed  during 
the  first  year  of  its  internal  control  improvement  program  and 
that  all  areas  must  be  reviewed  within  5  years. 

HHS'  instructions  state  that  an  ICR  should  identify  the 
internal  controls  in  place  to  accomplish  the  control  objectives 
and  test  whether  the  controls  are  functioning  as  intended. 
Supporting  documentation  is  to  be  maintained  and  must  be  readily 
available  for  review.  The  instructions  also  state  that  the 
degree  of  review  of  controls  should  be  proportionate  to  the 
dollar  value  associated  with  the  functional  area.  A  report  con¬ 
taining  findings,  conclusions,  and  recommendations  is  prepared 
for  each  completed  ICR. 

HHS  has  developed  a  suggested  approach  that  can  be  used  by 
HHS  components  for  conducting  new  ICRs.  For  each  functional 
area,  except  automatic  data  processing  (ADP),  HHS  has  developed 
a  set  of  internal  control  objectives  and  a  questionnaire.  The 
questionnaire  is  to  be  completed  by  the  manager  for  the  area 
under  review  or  jointly  by  the  manager  and  the  reviewer.  The 
questionnaires  address  internal  control  techniques  and  system 
documentation.  HHS'  guidance  suggests  the  circumstances  in 
which  the  reviewer  should  verify  management's  opinions  on  the 
adequacy  of  controls  and  suggests  that  verification  may  be  done 
by  testing,  interviewing,  and  observing. 

HHS'  guidance  provides  that  reviews,  such  as  those  per¬ 
formed  by  GAO,  OIG,  and  those  ongoing  by  management,  may  be 
substituted  for  ICRs,  provided  they  meet  ICR  requirements  or 
could  do  so  with  minimum  modifications.  ICOs  are  responsible 
for  determining  whether  substitutes  referred  to  by  HHS  as 
"ongoing  efforts"  are  acceptable.  New  ICRs  and  reviews  being 
substituted  for  ICRs  are  submitted  to  individuals  having  day-to- 
day  responsibility  for  the  areas  reviewed  for  their  concurrence 
and  development  of  proposed  corrective  actions.  ICOs  are  re¬ 
sponsible  for  reviewing,  approving,  and  monitoring  corrective 
actions. 

During  the  first  year's  operation,  HHS  reported  conducting 
1,135  ICRs.  About  870  of  these  were  ongoing  efforts  at  SSA. 


6 


Automated  internal  control 

tracking  system 

HHS  has  developed  an  automated  internal  control  tracking 
system  which  records  and  provides  information  on  the  Depart¬ 
ment's  6*238  internal  control  areas.  This  information  in¬ 
cludes  (1)  organizational  component  name,  (2)  function  covered, 
(3)  assessment  rating,  and  (4)  the  results  of  ICRs.  ICR  data 
include  weaknesses  identified,  corrective  actions  taken  or 
scheduled,  and  the  internal  control  standards  not  met. 

Reporting  to  the  President 

and  the  Congress 

On  January  24,  1984,  the  Secretary  reported  to  the  Presi¬ 
dent  and  the  Congress  on  the  status  of  HHS*  system  of  internal 
accounting  and  administrative  control.  The  report  indicates 
that  based  on  (1)  evaluations  performed  in  accordance  with  OMB 
guidelines  (tailored  to  the  Department's  organizational  and 
operational  environment),  (2)  assurances  given  by  appropriate 
HHS  officials,  and  (3)  other  information  provided,  the  HHS 
system  of  internal  accounting  and  administrative  control  in 
effect  during  the  year  ended  December  31,  1983,  taken  as  a 
whole,  provides  reasonable  assurance  that: 

— obligations  and  costs  are  in  compliance  with  applicable 
law; 

— funds,  property,  and  other  assets  are  safeguarded  against 
waste,  loss,  unauthorized  use,  or  misappropriation;  and 

— revenues  and  expenditures  applicable  to  HHS'  operations 
are  properly  recorded  and  accounted  for  to  permit  the 
preparation  of  accounts  and  reliable  financial  and  sta¬ 
tistical  reports  and  to  maintain  accountability  over  the 
assets. 

The  Secretary  reported  that  ICRs  conducted  by  HHS  in  1983 
identified  200  material  weaknesses. 1  Of  these,  78  had  been 
corrected,  and  action  plans  have  been  developed  with  the  goal  of 
correcting  the  remaining  122  by  December  31,  1984.  In  addition, 
the  Secretary  reported  that  over  1,000  nonmaterial  weaknesses 


lOMB  defines  a  material  weakness  which  should  be  reported  as  a 
situation  in  which  the  designed  procedures  or  the  degree  of 
operational  compliance  therewith  does  not  provide  reasonable 
assurance  that  the  objectives  of  internal  control  specified  in 
the  act  are  being  accomplished,  and  which  would  be  of  sig¬ 
nificance  to  the  President  and  the  Congress. 


had  been  identified  that  had  been  corrected  or  that  were  sched¬ 
uled  to  be  corrected  in  1984.  The  Secretary's  report  also  pro¬ 
vides  an  analysis  of  the  200  material  weaknesses  by  HHS  function 
and  Comptroller  General  internal  control  standard. 

Two  examples  of  the  200  material  weaknesses  identified  at 
HHS  aret 

— Insufficient  assurance  existed  at  Saint  Elizabeths  Hospi¬ 
tal  that  resources  have  been  safeguarded;  funds  expended 
in  a  manner  consistent  with  relevant  laws,  regulations, 
and  policies;  and  resources  managed  economically  and 
efficiently.  Recommended  corrective  actions  included 
engaging  an  independent  accounting  firm  to  conduct  an 
annual  audit.  This  action  is  scheduled  to  be  taken  by 
September  1984. 

—Under  the  Departmental  Federal  Assistance  Financing  Sys¬ 
tem,  funds  drawn  by  grantees  were  not  being  matched  to 
grantees'  immediate  needs.  As  a  result,  the  Department 
of  the  Treasury  has  incurred  additional  interest  esti¬ 
mated  at  $14  million  annually.  HHS  has  been  working  with 
Treasury,  OMB,  and  the  states  to  establish  improved  fund¬ 
ing  methods. 

Additional  examples  of  material  weaknesses  reported  by  HHS  are 
contained  in  appendix  V. 

The  Secretary  also  stated  that  the  Department  planned  to 
reassess  its  first-year  implementation  of  the  Financial  Integ¬ 
rity  Act  early  in  1984  and  will  change  its  policies,  procedures, 
and  methodologies,  as  appropriate,  after  it  evaluates  recom¬ 
mendations  from  GAO,  OMB,  OIG,  and  its  own  operating  staff. 

Accounting  systems 

The  Financial  Integrity  Act  requires  each  executive  agency 
to  annually  make  a  determination  as  to  whether  its  accounting 
systems  are  in  compliance  with  the  Comptroller  General's  ac¬ 
counting  principles  and  standards  and  to  report  the  results  of 
its  determination  to  the  President  and  the  Congress.  The  act 
does  not  require  OMB  to  issue  guidelines  for  implementing  this 
requirement,  but  OMB  intends  to  do  so.  HHS,  however,  developed 
its  own  approach  for  evaluating  and  reporting  on  its  accounting 
systems.  As  part  of  this  approach,  HHS 

—assigned  responsibility  to  senior  level  staff  for  manag¬ 
ing  and  carrying  out  accounting  systems  reviews  and 
ensuring  appropriate  corrective  actions. 


t 

1 


1 


8 


— initiated  efforts  to  develop  an  inventory  of  the  Depart¬ 
ment's  accounting  systems. 

— developed  a  checklist  of  the  Comptroller  General's  ac¬ 
counting  principles  and  standards  to  be  used  by  reviewers 
in  assessing  conformance  and  required  that  (1)  assertions 
of  conformance  by  agency  staffs  be  verified  through  sta¬ 
tistical  sampling  techniques,  interviews,  and  on-site 
observations  and  (2)  the  results  of  each  review  be  fully 
documented.  Due  to  time  constraints,  the  use  of  statis¬ 
tical  sampling  techniques  was  encouraged. 

— established  a  policy  calling  for  an  evaluation  of  each 
accounting  system  within  5  years. 

— reviewed  10  systems  in  1983 — 8  general  ledger  systems 
and  2  payroll  systems. 

— required  year-end  reports  from  heads  of  component  agen¬ 
cies  on  the  status  of  their  accounting  systems. 

On  January  24,  1984,  the  Secretary  issued  her  report  to 
the  President  and  the  Congress  stating  that  the  Department  had 
reviewed  its  general  ledger  and  payroll  systems  and  that,  taken 
as  a  whole,  the  systems  conformed  in  all  material  respects  to 
the  principles,  standards,  and  related  requirements  prescribed 
by  the  Comptroller  General.  The  Secretary  reported  23  areas  of 
nonconformance  for  which  corrective  action  plans  had  been  devel¬ 
oped  and  were  being  implemented.  For  example,  the  Secretary 
said  that  the  accounting  system  for  the  Office  of  the  Secretary, 
Division  of  Accounting  Operations,  does  not  assure  that  real  and 
personal  property  are  properly  recorded,  accounted  for,  and  de¬ 
preciated.  The  system  is  being  replaced  by  a  prototype  Standard 
Accounting  System  which  will  have  an  automated  property  account¬ 
ing  module  which  should  correct  this  deficiency. 

OBJECTIVES.  SCOPE. 

AND  METHODOLOGY 


The  objective  of  our  review  was  to  evaluate  HHS'  progress 
in  implementing  the  Financial  Integrity  Act  and  reporting  on  the 
status  of  the  Department's  internal  control  and  accounting  sys¬ 
tems.  Because  our  first-year  review  was  limited  to  an  evalua¬ 
tion  of  the  implementation  process,  we  did  not  independently  de¬ 
termine  the  status  of  the  Department's  internal  control  systems 
or  the  extent  to  which  the  Department's  accounting  systems  com¬ 
ply  with  the  Comptroller  General's  principles  and  standards. 

Our  review  was  performed  in  accordance  with  generally  accepted 
government  audit  standards. 


9 


Accounting  and 
administrative  controls 


With  respect  to  section  2  of  the  act — accounting  and  admin¬ 
istrative  controls — we  reviewed  the  HHS  and  OMB  instructions  and 
guidelines  and  their  application  at  HHS'  five  operating  divi¬ 
sions  (see  app.  I),  at  HHS  headquarters  for  Regional  Administra¬ 
tive  Support  Center  (RASC)  activities,  and  at  the  Denver  RASC. 

We  also  reviewed  the  activities  of  ASMB  ?*,nd  OIG  as  they  per¬ 
tained  to  (1)  development  of  guidelines  and  instructions, 

(2)  monitoring  the  implementation  of  guidelines  and  instructions 
including  quality  control,  and  (3)  reporting  on  the  results  of 
the  Department's  internal  control  initiative.  Our  review  did 
not  include  most  activities  of  the  Health  Resources  and  Services 
Administration — a  component  of  the  Public  Health  Service  (PHS) — 
because  of  its  recent  reorganization. 

Our  review  was  performed  at  HHS  headquarters.  Office  of 
Community  Services  (OCS),  and  Office  of  Human  Development  Serv¬ 
ices  ( OHDS )  headquarters  in  Washington,  D.C.y  SSA  and  HCFA  head¬ 
quarters  in  Baltimore,  Maryland;  PHS  headquarters  in  Rockville, 
Maryland;  National  Institutes  of  Health  headquarters  in 
Bethesda,  Maryland;  and  Centers  for  Disease  Control  (CDC)  head¬ 
quarters  in  Atlanta,  Georgia.  Regional  components  of  these 
agencies  were  reviewed  as  follows : 


HHS  components 


HHS  reqion 

SSA 

HCFA 

PHS 

RASC 

III 

Philadelphia 

X 

X 

IV 

Atlanta 

X 

X 

X 

VI 

Dallas 

X 

VII 

Kansas  City 

X 

VIII 

Denver 

X 

X 

X 

IX 

San  Francisco 

X 

In  addition  to  visiting  the  above  regional  offices,  in  regions 
III  and  IX  we  also  visited  SSA  district  offices,  branch  offices, 
teleservice  centers,  data  operations  centers,  and  program 
service  centers. 

Our  review  also  included  an  examination  of  VAs  and  ICRs 
(which  included  discussions  with  most  of  the  preparers  of  these 
documents),  as  shown  below. 


10 


Vulnerability  Assessments  and 
Internal  Control  Reviews 


Performed  by  HHS  and 

Examined 

"by  GAO 

VAs 

VAs 

ICRs 

ICRs 

performed 

examined 

performed 

examined 

SSA: 

VA — HHS  model 

351 

37 

VA — abbreviated 

form 

4,122 

240 

ICR — new 

2 

2 

ICR — ongoing 

effort 

871 

120 

HCFA 

135 

17 

15 

15 

PHS 

984 

351 

128 

45 

OHDS 

24 

5 

4 

1 

RASC 

160 

4 

33 

1 

OCS 

32 

0a 

0 

0 

VAs  and  ICRs  per- 

formed  at  other 

HHS  components 

430 

_ 0 

82 

_ 0 

Total 

6,238 

654 

1,135 

184 

aAt  OCS  we  reviewed  31  assessment  forms;  however,  we  could  not 
interview  personnel  who  performed  the  assessments  because  they 
are  no  longer  employed  by  the  agency. 

These  VAs  and  ICRs  were  selected  judgmentally  so  that  we  could 
examine  these  documents  for  a  cross-r  ~tion  of  organizational 
units  and  functional  areas. 


We  also  reviewed  HHS'  implementation  of  the  Department's 
ADP  security  program  which  is  required  by  OMB  Circular  A-71.2 
As  discussed  on  page  32,  HHS  directed  that  this  effort  be  sub¬ 
stituted  for  all  ADP  requirements  in  the  internal  control  as¬ 
sessment  and  review  process.  Our  review  of  the  Department's 
security  program  was  performed  principally  at  SSA  and  HCPA  and 
included  interviews  with  HHS  ADP  security  program  staff  and  re¬ 
views  of  reports  and  other  documentation  resulting  from  the  De¬ 
partment's  program. 


2Security  of  Federal  Automated  Information  Systems. 


11 


Accounting  systems 


For  our  review  of  the  Department ' s  actions  to  comply  with 
the  reporting  requirements  of  section  4  of  the  act — accounting 
systems — we  reviewed  the  Department ' s  instructions  and  their  im¬ 
plementation  to  evaluate  the  eight  general  ledger  and  two  pay¬ 
roll  systems'  compliance  with  the  Comptroller  General's  princi¬ 
ples  and  standards  and  related  requirements.  Our  review  covered 
systems  at  the  following  locations: 

*  Office  of  the  Secretary; 

#  SSA; 

*  HCFA; 

#  PHS : 

— CDC, 

— Food  and  Drug  Administration, 

— National  Institutes  of  Health,  and 
— Health  Resources  and  Services  Administration; 

#  Office  of  the  Assistant  Secretary  for  Personnel  Adminis¬ 
tration  {civilian  and  uniformed  service  payroll  systems); 
and 

*  ASMB  (Regional  Accounting  System). 

Additionally,  we  evaluated  ASMB's  and  OIG's  efforts  relative  to 
implementing  section  4  of  the  act.  ASMB  was  responsible  for  de¬ 
veloping  and  overseeing  HHS '  approach  to  evaluating  and  report¬ 
ing  on  its  accounting  systems.  OIG  evaluated  the  Department's 
first-year  efforts. 

Our  review  included  discussions  with  appropriate  personnel, 
examination  of  their  analyses  and  supporting  workpapers  for 
their  examination  of  10  accounting  systems,  reviews  of  prior  GAO 
and  OIG  reports  on  HHS'  accounting  systems,  and  component  agency 
and  departmental  reports  on  their  first-year  efforts  to  imple¬ 
ment  section  4  of  the  act. 


CHAPTER  2 

ADDITIONAL  GUIDANCE  NEEDED  ON 
IDENTIFICATION  OF  INTERNAL  CONTROL  AREAS 

All  of  HHS'  significant  activities  were  not  inventoried  for 
purposes  of  determining  their  vulnerability  to  fraud,  waste,  or 
abuse.  This  happened  because  HHS'  guidance  did  not  provide  a 
complete  list  of  department-wide  functions  for  use  by  its  compo¬ 
nents  and  because  the  components  did  not  always  recognize  all  of 
the  important  functions  performed  by  each  of  their  organiza¬ 
tional  units.  As  mentioned  on  page  5,  an  internal  control  area 
was  to  be  established  for  each  significant  function  at  each  or¬ 
ganizational  unit.  These  internal  control  areas  or  activities 
were  then  to  be  assessed  for  vulnerability.  Consequently,  an 
incomplete  inventory  of  internal  control  areas  results  in  a  lack 
of  assessments  of  the  vulnerability  of  certain  significant  HHS 
activities. 

Further,  in  some  cases  component  descriptions  of  estab¬ 
lished  internal  control  areas  were  so  general  that  the  scope  of 
activities  to  be  assessed  for  vulnerability  could  not  be  deter¬ 
mined.  These  problems  could  have  been  reduced  if  HHS  guidance 
had  included  (1)  a  more  comprehensive  list  of  its  functions, 

(2)  a  more  complete  explanation  to  its  components  on  what  con¬ 
stitutes  important  or  "significant"  responsibilities  of  organi¬ 
zational  units,  and  (3)  a  requirement  for  clear  descriptions  of 
the  scope  of  activities  associated  with  internal  control  areas. 
In  addition,  we  noted  one  internal  control  area  that  appeared  to 
be  too  large  to  allow  a  meaningful  VA  to  be  conducted. 

ALL  SIGNIFICANT  HHS  ACTIVITIES 
WERE  NOT  INVENTORIED 

OMB  guidelines  provide  that  agencies  develop  an  inventory 
of  internal  control  areas,  each  of  which  is  to  be  the  subject  of 
a  VA.  Further,  OMB  guidelines  state  that  the  inventory  should 
cover  all  program  and  administrative  functions. 

HHS*  instructions  to  component  agencies  on  how  to  divide 
themselves  into  internal  control  areas  for  conducting  VAs  were 
not  adequate  and  were  not  always  followed.  HHS'  instructions 
include  a  list  of  16  functional  areas,  such  as  procurement, 
grants,  and  cash,  which  HHS  believed  encompassed  all  of  its 
operations.  HHS  directed  its  component  agencies  to  identify  and 
inventory  an  internal  control  area  for  each  function  for  which 


13 


each  organizational  unit*  had  "significant  responsibility."  In 
addition,  HHS'  instructions  required  that  each  component  deter¬ 
mine  if  the  16  functions  covered  its  entire  range  of  activities 
and,  if  not,  add  the  missing  functions. 

HHS*  list  of  16  functions  did  not  include  all  of  the  De¬ 
partment's  important  functions.  Missing  functions  include  in- 
house  research,  health  care  services  delivery,  drug  regulation, 
and  disease  surveillance  and  prevention.  However,  none  of  the 
components  identified  any  additional  functions  that  they  per¬ 
formed.  For  example,  the  National  Institutes  of  Health  excluded 
in-house  research,  health  care  services  delivery,  and  other  pro¬ 
grammatic  functions  because  they  were  not  specifically  identi¬ 
fied  in  HHS'  list  of  functions.  CDC  excluded  many  of  its  pro¬ 
grammatic  functions  for  similar  reasons.  In  December  1983,  HHS' 
Inspector  General  reported  similar  omissions  for  Indian  Health 
Service  hospital  operations  and  Food  and  Drug  Administration 
district  office  laboratory  operations. 

We  also  found  that  in  several  instances  organizational 
units  appeared  to  have  significant  responsibility  for  1  or  more 
of  the  16  functions,  but  did  not  identify  internal  control  areas 
for  all  of  them.  For  example, 

— SSA  excluded  the  functions  of  travel  and  personnel  from 
its  inventory  of  internal  control  areas  for  all  headquar¬ 
ters  and  field  locations  except  the  Office  of  Management, 
Budget  and  Personnel.  This  was  done  because  SSA  felt 
that  the  organizational  unit  that  controlled  policy  and 
procedures  for  these  functions  was  the  only  one  that  had 
"significant  responsibility"  for  the  functions.  The  Of¬ 
fice  of  Management,  Budget  and  Personnel  establishes 
policy  and  procedures  for  both  functions.  However,  the 
bulk  of  supervisory  control  over  travel,  and  time  and 
attendance  takes  place  in  certain  SSA  headquarters  units 
and  throughout  its  field  offices.  It  is  in  these  loca¬ 
tions  that  decisions  of  appropriateness  and  necessity  for 
travel  and  overtime,  for  example,  are  made.  In  contrast, 
HCFA  assigned  separate  internal  control  areas  for  both 
functions  at  16  different  units  including  headquarters 
and  regions. 


iHHS'  instructions  call  for  identifying  all  organizational  com¬ 
ponents  down  to  a  minimum  of  three  organizational  levels  below 
the  operating  division  head  and  two  organizational  levels  below 
the  staff  division  head  which  have  significant  responsibility 
for  1  or  more  of  the  16  functions. 


14 


— OHDS  excluded  the  programmatic  functions  of  its  10  re¬ 
gional  offices  because  it  incorrectly  believed  another 
HHS  organization  was  responsible  for  covering  them. 

HHS'  instructions  to  component  agencies  state  that  internal 
control  areas  are  to  be  organizational  components  with  "signifi¬ 
cant  responsibility"  for  1  or  more  of  16  internal  control  func¬ 
tions.  Although  the  HHS  instructions  provide  guidance  on  the 
number  of  organizational  levels  down  to  which  internal  control 
areas  with  significant  responsibility  will  be  identified,  they 
do  not  explain  what  constitutes  "significant  responsibility." 

We  believe  that  this  contributed  to  considerable  variation  in 
interpretation.  HHS'  instructions  do  not  provide  the  necessary 
guidance  for  a  consistent  approach  to  identifying  internal  con¬ 
trol  areas  and  do  not  assure  that  a  complete  inventory  of  its 
important  activities  in  each  organizational  unit  will  be  de¬ 
veloped  . 

INTERNAL  CONTROL  AREA  DESCRIPTIONS 
WERE  TOO  GENERAL 

HHS*  instructions  require  component  agencies  to  prepare  an 
inventory  of  internal  control  areas  that  includes  a  brief  de¬ 
scription  of  the  function  covered  in  each  area  in  quantifiable 
terms,  such  as  dollars  and/or  volume.  However,  the  instructions 
do  not  elaborate  on  the  specific  types  of  information  that 
should  be  included  and  provide  no  model  description.  Conse¬ 
quently,  many  of  the  descriptions  we  reviewed  were  so  general 
that  neither  we  nor  others  reviewing  the  inventory  could  deter¬ 
mine  what  specific  activities  should  be  assessed  for  vulner¬ 
ability.  For  example; 

— ICO  staff  at  HCFA  informed  us  that  they  included  monitor¬ 
ing  benefit  payments  (which  totaled  $73  billion  in  fiscal 
year  1983)  in  the  internal  control  area  for  the  Bureau  of 
Program  Operations'  "procurement  and  purchasing"  func¬ 
tion.  However,  the  narrative  description  of  the  area  was 
unclear  as  to  whether  benefit  payment  monitoring  activi¬ 
ties  should  have  been  assessed.  The  person  performing 
the  VA  for  this  internal  control  area  said  he  did  not 
cover  benefit  payments  in  his  assessment  because  he  did 
not  know  they  were  included.  He  assessed  the  area’s 
vulnerability  for  administrative  purchases  of  certain 
supplies  and  furniture. 


— A  number  of  narrative  descriptions  prepared  by  components 
of  PHS  did  not  contain  detailed  descriptions  of  activi¬ 
ties  to  be  included  in  the  internal  control  areas.  To 
illustrate,  the  internal  control  area  of  "cash"  at  CDC 


did  not  identify  the  amount  of  cash  involved  or  the  num¬ 
ber  or  location  of  organizational  units  that  handle  cash. 
As  a  result,  the  person  performing  the  ICR  for  cash 
omitted  the  agency's  largest  imprest  cash  fund  ($55,000) 
from  the  review.  Similarly,  the  descriptions  of  internal 
control  areas  for  the  "receivables,  loans,  and  advances” 
function  at  the  Food  and  Drug  Administration  did  not  in¬ 
clude  information  on  the  total  amount  of  receivables 
covered  by  the  internal  control  area.  As  a  result,  we 
could  not  determine  whether  all  accounts  were  covered  in 
the  inventory. 

NEED  TO  REEVALUATE  SIZE 
OF  INTERNAL  CONTROL  AREA  COVERING 
TWO  SIGNIFICANT  PROGRAMS 

OMB  guidelines  state  that  internal  control  areas  should  be 
of  an  appropriate  size  and  nature  to  allow  meaningful  VAs  to  be 
conducted.  HCFA  placed  responsibility  for  monitoring  the  appro¬ 
priateness  of  payments  under  the  Medicaid  and  Medicare  programs 
into  one  internal  control  area — the  Bureau  of  Program  Opera¬ 
tions'  procurement  and  purchasing  function.  We  believe  that 
this  internal  control  area  may  be  too  large  for  a  meaningful  VA 
for  several  reasons. 

First,  the  Medicare  and  Medicaid  programs  are  very  large — 
totaling  over  $70  billion  annually.  Second,  the  two  programs 
are  administered  differently — Medicare  essentially  through  con¬ 
tractors  and  Medicaid  through  grants  to  states.  Third,  in  addi¬ 
tion  to  covering  monitoring  activities,  the  procurement  and  pur¬ 
chasing  function  covers  such  activities  as  negotiating  Medicare 
contracts  and  coordinating  Medicaid  grant  awards.  Vulnerabili¬ 
ties  for  these  activities  may  be  different  than  those  for  moni¬ 
toring.  Finally,  in  addition  to  the  Bureau  of  Program  Opera¬ 
tions,  another  bureau  and  all  10  of  its  regional  offices  have 
roles  in  operating  HCFA's  more  than  30  monitoring  systems  for 
Medicare  and  Medicaid  payments,  and  vulnerabilities  may  differ 
among  organizations  and  monitoring  systems. 

We  discussed  our  concern  about  the  size  of  this  internal 
control  area  with  HCFA  ICO  staff.  They  acknowledged  the  problem 
and  said  that  they  had  considered  covering  Medicare  and  Medicaid 
differently  but  decided  to  do  what  they  had  done  because  they 
viewed  monitoring  as  one  of  several  activities  falling  under  the 
procurement  and  purchasing  function. 

PROPOSED  CORRECTIVE  ACTIONS 
AND  Hite*  RESPONSE 

In  a  draft  of  this  report,  we  proposed  that  HHS  improve  its 
instructions  for  the  segmentation  process  by 


16 


t 


i' 

i 

— revising  its  list  of  agency  functions  to  include  all 
significant  functions, 

— providing  additional  guidance  on  what  constitutes  a  "sig¬ 
nificant  responsibility"  so  that  a  more  consistent  inter¬ 
pretation  can  be  applied  by  the  component  agencies,  and 

— requiring  more  specific  descriptions  of  its  internal  con¬ 
trol  areas  so  that  the  scope  of  activities  included  will 
be  clearly  stated  for  purposes  of  performing  VAs  and 
ICRs. 

In  addition,  we  proposed  that  the  Department  reevaluate  its  seg¬ 
mentation  process  for  purposes  of  effectively  assessing  the  vul¬ 
nerability  of  the  Medicare  and  Medicaid  programs. 

In  commenting  on  the  draft  report,  HHS  agreed  to  take  the 
actions  we  proposed.  HHS  said  that  it 

— was  reviewing  its  list  of  internal  control  functions  to 
determine  how  to  expand  it  to  include  additional  signifi¬ 
cant  functions, 

— would  provide  necessary  additional  guidance  on  the  term 
"significant  responsibility," 

—would  assure  that  the  scope  of  activities  for  each  func¬ 
tion  provides  a  clear  and  comprehensive  description  of 
the  functional  area,  and 

— would  review  the  segmentation  process  for  the  Medicare 
and  Medicaid  programs. 

Because  HHS  agreed  to  take  action  on  these  proposals,  as 
well  as  those  we  made  in  subsequent  chapters  relative  to  other 
aspects  of  HHS'  internal  control  and  accounting  systems  evalua¬ 
tion  and  improvement  process,  we  are  not  making  recommendations 
to  the  Department  in  this  report.  However,  we  plan  to  track 
HHS*  progress  in  taking  the  promised  corrective  actions.  (See 
app.  VI  for  HHS'  comments  on  our  draft  report.) 


i 

i 


CHAPTER  3 


VULNERABILITY  ASSESSMENT  PROCESS 
NEEDS  IMPROVEMENT 

The  HHS  VA  process  did  not  produce  results  that  could  be 
used  for  reliably  identifying  highly  vulnerable  areas,  schedul¬ 
ing  ICRs,  or  taking  other  appropriate  action.  In  addition,  the 
HHS  VA  process  did  not  identify  known  systemic  weaknesses  for 
purposes  of  listing  them  in  the  Department's  year-end  report. 

No  highly  vulnerable  ratings  were  produced  by  the  preparers 
of  HHS*  model  VA  form  in  any  of  the  five  operating  divisions. 
Also,  for  purposes  of  scheduling  ICRs,  SSA's  ICO  discounted  the 
highly  vulnerable  ratings  produced  by  SSA  field  staff  using  an 
abbreviated  VA  form  because  of  variances  in  how  the  forms  were 
completed.  The  results  of  HHS1  VA  process  were  distorted  be¬ 
cause  (1)  the  assessments  did  not  consider  all  factors  necessary 
to  accurately  determine  vulnerability,  (2)  the  scoring  system 
used  for  the  HHS  model  VA  form  was  biased  toward  low  and  moder¬ 
ate  ratings,  and  (3)  the  HHS  model  form  was,  in  some  cases, 
inaccurately  completed. 

Limited  documentation  accompanying  vulnerability  ratings 
also  hampered  the  usefulness  of  HHS*  VA  process.  VA  forms  do 
not  generally  contain  the  rationale  for  the  ratings  given  nor  do 
they  record  internal  control  weaknesses,  such  as  those  previ¬ 
ously  reported  in  GAO  or  OIG  reports,  which  are  noted  during  the 
assessment  process.  Although  OMB  guidelines  do  not  specifically 
provide  for  rating  rationale  to  be  recorded,  we  believe  it  would 
be  helpful  for  (1)  determining  the  most  appropriate  action  to  be 
taken  as  a  result  of  the  assessment,  (2)  preparing  the  Secre¬ 
tary's  annual  report  on  internal  controls,  and  (3)  evaluating 
the  validity  of  the  VA  results. 

ASMB  officials  stated  that  HHS  had  not  emphasized  the  VA 
process  because  they  believe  HHS'  requirement  to  conduct  ICRs  on 
all  internal  control  areas  within  5  years  greatly  reduces  the 
importance  of  VAs  in  scheduling  ICRs.  The  purpose  of  a  VA  is  to 
make  an  initial  identification  of  the  most  vulnerable  areas  so 
that  resources  can  be  directed  to  identifying  and  correcting  or 
preventing  the  most  significant  problems  first.  Unreliable  VAs 
can  result  in  high  vulnerability  going  undetected  and  uncor¬ 
rected  for  years. 


HHS  *  GUIDANCE  DOES  NOT  PROVIDE 
FOR  COMPREHENSIVE  ASSESSMENTS 

HHS  developed  a  model  form  for  conducting  VAs  which  does 
not  consider  several  of  the  factors  that  are  necessary  for  com¬ 
prehensive  assessments,  such  as  program  size  and  complexity,  and 
the  effectiveness  of  existing  safeguards.  This  form  was  used 
throughout  HHS,  except  for  SSA's  field  office  assessments.  SSA 
developed  an  abbreviated  form  for  use  in  its  1,374  field  offices 
due  to  the  large  number  of  offices  involved. 

Preparers  of  the  SSA  form  were  instructed  to  use  their 
judgment  in  assigning  general  ratings  of  high,  moderate,  or  low 
vulnerability.  No  consideration  of  any  specific  factors  was 
required.  Without  an  assessment  approach  that  requires  the 
systematic  consideration  of  all  relevant  factors,  we  believe  it 
is  impossible  to  determine  if  the  results  of  the  assessments  are 
reliable. 

Of  the  4,122  assessments  prepared  using  the  SSA  form,  2,485 
were  rated  low,  1,328  moderate,  and  309  high.  However,  SSA  did 
not  use  the  high  ratings  to  schedule  ICRs.  SSA's  ICO  stated 
that  the  preparers  who  used  the  abbreviated  form  considered  in¬ 
herent  program  vulnerabilities,  rather  than  the  vulnerability  of 
specific  locations,  and  therefore,  the  resulting  assessments  did 
not  provide  an  appropriate  basis  for  scheduling  ICRs.  The  ICO 
called  for  any  ongoing  efforts  covering  field  offices  that  could 
be  used  as  substitutes  for  ICRs.  He  accepted  substituted  re¬ 
views  until  enough  were  received  to  satisfy  HHS '  first-year 
requirement  on  the  number  of  ICRs  to  be  performed. 

Preparers  of  the  HHS  model  form  were  instructed  to  consider 
10  specific  ranking  factors*  in  completing  their  assessments 
(see  app.  III).  These  factors  did  not  lead  to  comprehensive 
assessments.  OMB  guidelines  issued  after  HHS  completed  its 
first-year  assessments  contain  additional  factors  which  we  be¬ 
lieve  should  be  considered  in  the  Department's  second-year 
effort.  The  OMB  guidelines  prescribe  a  three-step  process,  and 
factors  that  should  be  considered  in  each  step. 

— First,  an  analysis  of  the  general  control  environment 
including  an  evaluation  of  eight  factors.  HHS  requires 
consideration  of  only  some  part  of  three:  personnel, 
policies  and  procedures,  and  organizational  checks  and 
balances.  HHS  omits  the  consideration  of  such  factors  as 
management  attitude  and  budgeting  and  reporting  prac¬ 
tices  . 


*The  form  allows  for  the  adding  of  other  factors,  but  no  assess¬ 
ment  we  reviewed  had  any  added  factors. 


— Second/  an  analysis  of  inherent  risks#  including  an 
evaluation  of  eight  additional  factors.  HHS  requires 
the  evaluation  of  only  some  part  of  three:  impact  out¬ 
side  the  agency,  prior  reviews,  and  age  and  life  expect¬ 
ancy  of  the  program.  HHS  does  not  require  consideration 
of  such  important  factors  as  purpose  and  characteristics, 
budget  level,  and  management  responsiveness. 

— Third,  a  preliminary  evaluation  of  safeguards,  which  HHS 
does  not  require. 

THE  SCORING  SYSTEM  IS  BIASED 
AGAINST  ACHIEVING  A  HIGHLY 
VULNERABLE  RATING 

None  of  the  assessments  for  HHS'  operating  divisions  re¬ 
ceived  a  mathematical  rating  of  high  vulnerability  where  the  HHS 
model  form  was  used.  We  believe  this  occurred  primarily  because 
of  the  scoring  system  incorporated  into  the  form.  The  system 
provides  that  each  applicable  factor  be  scored  1,  2,  or  3,  indi¬ 
cating  low,  moderate,  or  high  vulnerability.  The  scores  are  to 
be  totaled  and  divided  by  the  number  of  factors  used  to  arrive 
at  an  overall  average  score  for  each  area.  A  rating  scale  on 
the  form  is  used  to  translate  the  average  score  into  an  overall 
rating  of  low,  moderate,  or  high  vulnerability.  A  major  problem 
is  that  the  factors  do  not  have  the  same  relative  importance  to 
all  internal  control  areas,  but  the  system  does  not  provide  for 
preparers  to  weight  the  factors  to  emphasize  the  most  important 
one(s)  for  each  area. 

Although  there  are  cases  where  scoring  one  factor  as  high 
should  appropriately  result  in  the  entire  area  being  rated 
highly  vulnerable,  where  10  ranking  factors  are  used  the  VA  form 
requires  that  at  least  4  of  them  must  be  scored  high  in  order  to 
arrive  at  a  mathematical  rating  of  highly  vulnerable.  This  as¬ 
sumes  that  all  of  the  other  six  factors  are  scored  as  moderately 
vulnerable.  If  some  are  low,  more  than  four  factors  will  have 
to  be  ranked  high  to  result  in  an  overall  (or  average)  rating  of 
highly  vulnerable.  For  example,  1  of  HCFA's  135  assessments  was 
given  the  highest  point  value  for  five  ranking  factors.  How¬ 
ever,  each  of  the  other  five  factors  was  given  the  lowest  pos¬ 
sible  point  value,  resulting  in  a  mathematical  rating  equivalent 
to  moderately  vulnerable.  In  another  case  an  official  at  PHS 
said  he  knew  a  unit  he  assessed  was  highly  vulnerable.  However, 
even  after  several  attempts,  the  highest  mathematical  rating  he 
could  assign  the  unit  was  equivalent  to  moderately  vulnerable. 

Two  additional  situations  skewed  the  overall  ratings  toward 
low  or  moderate  vulnerability.  First,  HHS  requirements  are  con¬ 
flicting  for  scoring  the  factors  "Access  to  Cash/Negotiable 


20 


in  iliiiikiHu'iiiii  i 


Instruments"  and  "Physical  Security"  if  the  unit  does  not  handle 
cash  and  has  no  particular  need  for  special  security  arrange¬ 
ments.  Instructions  for  assessing  each  of  these  factors  state 
that  they  should  be  rated  “1"  if  cash  and  security  are  not  ap¬ 
plicable  to  the  function.  The  overall  instructions  for  complet¬ 
ing  all  factors  state  that  if  a  factor  is  not  applicable,  it 
should  be  rated  "N/A,"  and  documentation  should  be  kept  to  jus¬ 
tify  this  rating.  If  a  unit  does  not  handle  cash  or  need  spe¬ 
cial  security  arrangements,  the  assessor  could  score  those  fac¬ 
tors  either  "1"  or  "N/A."  If  he  chose  the  former,  the  overall 
vulnerability  score  for  the  unit  would  be  lower  than  if  the 
assessor  used  the  "N/A"  designation.  In  HCFA  103  of  its  total 
of  135  assessments  showed  a  score  of  1  for  one  or  both  of  these 
factors  even  though  they  could  have  been  scored  "N/A." 

Second,  HHS'  instructions  on  scoring  the  two  factors  relat¬ 
ing  to  audits  can  contribute  to  lowering  the  overall  rating  of 
vulnerability.  "Results  of  Audits"  is  to  be  scored  high  in  the 
event  of  a  negative  audit.  However,  the  factor  "Interval  Since 
Most  Recent  Audit"  is  to  be  scored  low  if  the  audit  was  com¬ 
pleted  in  the  most  recent  year.  Consequently,  the  net  effect  of 
a  recently  completed  negative  audit  is  diluted  for  purposes  of 
determining  the  overall  vulnerability. 

In  the  absence  of  high  vulnerability  ratings,  ICOs  were 
left  with  finding  other  bases  for  scheduling  ICRs.  HCFA's  ICO 
used  his  override  authority  to  rate  some  units  highly  vulner¬ 
able.  However,  the  majority  of  these  overrides  were  based  on 
judgments  of  the  vulnerability  of  entire  functions,  rather  than 
of  individual  areas. 

EXPLANATIONS  OF  SCORES 
ARE  NOT  REQUIRED 


HHS  does  not  require  that  VAs  report  the  basis  for  scores 
and  ratings  given.  It  requires  only  the  reporting  of  numeric 
assessment  scores  and  overall  ratings.  The  scores  and  ratings, 
if  reliable,  should  be  useful  in  determining  which  areas  to  re¬ 
view  first.  They  are  not  very  useful  for  (1)  identifying  spe¬ 
cific  problems  to  be  considered  in  designing  ICRs,  (2)  tracking 
and  correcting  weaknesses  noted  in  the  process,  or  (3)  explain¬ 
ing  assessment  rationale  to  persons  who  use  VAs. 

SSA's  ICO  recognized  the  need  for  an  explanation  of  scoring 
rationale  in  a  September  1982  memorandum  which  instructs  SSA 
staff  completing  the  HHS  model  VA  form  to  provide  such  rationale 
when  feasible.  The  ICO  stated* 


21 


MiitHiiiiMlili 


"The  rationale  can  be  helpful  in  setting  our  priori¬ 
ties  for  subsequent  internal  control  reviews,  can 
provide  a  basis  for  tying  in  previously  identified 
vulnerabilities  and  audits,  and  can  pinpoint  specific 
areas  of  concern." 

About  45  percent  of  SSA's  ratings  prepared  on  the  HHS 
model  form  contained  statements,  but  they  were  generally  inade¬ 
quate  to  explain  scoring  rationale.  We  noted  no  such  statements 
on  assessments  prepared  in  any  other  HHS  components. 

WEAKNESSES  IDENTIFIED  IN 
EXTERNAL  REPORTS  WERE 
SOMETIMES  OVERLOOKED  IN 
VULNERABILITY  ASSESSMENTS 

Internal  control  problems  identified  by  congressional  com¬ 
mittees,  GAO,  OIG,  and  an  agency  contractor  were  not  always  ade¬ 
quately  considered  in  the  VA  process.  For  15  of  21  internal 
control  areas  that  we  were  able  to  associate  with  weaknesses 
identified  in  GAO  and  OIG  reports,  no  consideration  was  given  to 
the  weaknesses.  For  example,  over  the  past  few  years  GAO  re¬ 
ported  on  weaknesses  in  controls  over  SSA's  supplemental  secu¬ 
rity  income  program  (HRD-81-4,  Feb.  4,  1981),  and  its  system  for 
assuring  the  propriety  of  earnings  records  (HRD-82-18,  Apr.  28, 
1982).  Corrective  actions  have  not  been  taken  on  these  con¬ 
trols.  For  the  internal  control  areas  which  are  responsible  for 
controlling  these  operations,  assessors  marked  the  factor 
"Results  of  Audits"  with  "N/A. "  Other  weaknesses,  which  GAO  or 
the  OIG  identified  in  the  past  several  years  that  were  generally 
not  addressed  in  VAs,  involved  benefit  payments  under  Medicare 
and  Medicaid. 

HHS  DOES  NOT  RECORD 
WEAKNESSES  IDENTIFIED  IN 
THE  ASSESSMENT  PROCESS 

HHS  doe 8  not  have  a  procedure  for  recording  weaknesses 
identified  in  the  VA  process.  HHS'  instructions  merely  state 
that  weaknesses  requiring  immediate  corrective  action  be  brought 
to  the  attention  of  appropriate  officials.  They  do  not  provide 
for  documenting  weaknesses  identified  in  the  VA  process,  enter¬ 
ing  them  into  the  Department's  system  for  tracking  internal  con¬ 
trol  weaknesses,  or  considering  them  in  the  Secretary's  assur¬ 
ance  letter  required  by  the  act. 


I 

l 

i 


1 


OTHER  CONDITIONS  RAISE 
QUESTIONS  ABOUT  THE  VALIDITY 
OF  ASSESSMENT  RESULTS 

Sufficient  time  and  training  may  not  have  been  provided  to 
individual  preparers  of  assessments  to  perform  an  adequate  anal¬ 
ysis  of  vulnerability.  Of  the  HCFA  and  SSA  preparers  we  inter¬ 
viewed  at  the  regional  and  field  office  levels,  most  said  they 
were  working  under  tight  time  constraints  to  complete  the  VAs. 
One  SSA  area  director  told  us  that  he  performed  the  assessments 
for  60  internal  control  areas  in  less  than  an  hour. 

HHS  provided  guidance  in  its  technical  memorandum  on  how  to 
conduct  VAs.  In  addition,  HHS  and  its  components  provided  guid¬ 
ance  to  some  of  the  individuals  involved  in  the  VA  process. 
Several  preparers  said  they  should  have  had  more  background  in¬ 
formation,  guidance,  or  training  for  the  VA  process.  For  ex¬ 
ample,  at  SSA 

— a  regional  official,  who  assessed  the  wrong  activities 
in  preparing  one  VA  we  reviewed,  said  that  the  instruc¬ 
tional  material  did  not  provide  an  adequate  guide  for 
conducting  a  VA; 

— another  regional  official  said  he  would  not  have  taken 
the  exercise  so  lightly  and  probably  would  have  rated  an 
assessment  we  reviewed  higher  had  he  received  a  proper 
explanation  of  the  goals  of  the  act  and  how  to  complete 
the  HHS  model  assessment  form; 

— an  area  director  in  the  field  said  he  would  have  been 
able  to  provide  a  better  response  had  he  received  train¬ 
ing  on  the  exercise;  and 

— several  preparers  questioned  the  value  of  the  VA  effort 
because  of  the  limited  amount  of  background  information 
provided  and  the  short  time  frames  allowed. 

HHS'  instructions  recognize  the  dependence  of  the  assess¬ 
ment  process  on  the  professional  judgment  of  managers  respon¬ 
sible  for  the  internal  controls.  However,  the  VAs  we  reviewed 
generally  were  performed  by  someone  other  than  the  responsible 
area  managers.  For  example,  a  CDC  central  office  official  as¬ 
sessed  six  areas  without  consulting  area  managers.  In  fact, 
managers  of  90  of  CDC's  107  internal  control  areas  were  not  even 
informed  of  the  Financial  Integrity  Act  requirements. 


23 


PROPOSED  CORRECTIVE  ACTIONS 
AND  HHS 1  RESPONSE 


In  our  draft  report,  we  proposed  that  the  Departments 

— Develop  assessment  instruments  for  conducting  VAs  which 
include  all  factors  OMB  considers  necessary  to  determine 
the  relative  vulnerability  of  each  internal  control  area. 

— Require  a  written  explanation  of  the  rationale  for  VA 
scores.  The  explanation  should  be  sufficient  to  enable 
an  independent  party  to  arrive  at  a  similar  rating  as  did 
the  assessor.  It  should  include  weaknesses  identified  as 
well  as  other  information  necessary  for  assuring  that 
concerns  of  the  assessor  are  communicated  to  preparers  of 
ICRs  or  other  appropriate  personnel. 

— More  fully  consider  in  the  VA  process  weaknesses  identi¬ 
fied  in  GAO  reports  and  reports  from  other  external 
sources. 

— Require  that  weaknesses  identified  during  the  VA  process 
be  documented  and  entered  into  the  HHS  system  for  track¬ 
ing  internal  control  weaknesses,  followed  up,  and  con¬ 
sidered  for  inclusion  in  the  annual  report  to  the  Presi¬ 
dent  and  the  Congress. 

— Provide  VA  preparers  the  necessary  background  informa¬ 
tion,  training,  and  time  to  complete  meaningful  assess¬ 
ments. 

In  commenting  on  our  draft  report,  HHS  concurred  with  our 
proposals  and  said  that  it 

— was  reviewing  its  VA  policies  and  procedures  with  the 
goal  of  revising  them  to  reflect  all  significant  factors 
OMB  considers  necessary, 

— believed  a  written  explanation  of  VA  rating  rationale 
would  be  beneficial  and  will  determine  what  steps  need  to 
be  taken  to  assure  that  internal  control  weaknesses  iden¬ 
tified  during  the  VA  process  are  addressed, 

—will  determine  the  feasibility  of  documenting  weaknesses 
identified  during  the  VA  process,  entering  them  into  its 
Internal  Control  Tracking  System,  and  evaluating  the  ex¬ 
tent  to  which  such  weaknesses  should  be  included  in  its 
annual  report,  and 

—will  determine  what  steps  could  be  taken  to  provide  VA 
preparers  with  additional  training  and  background 
information. 


24 


CHAPTER  4 


IMPROVEMENTS  ARE  NEEDED  IN  HHS1 
INTERNAL  CONTROL  REVIEWS 


HHS'  ICRs  did  not  fully  evaluate  internal  controls  to  de¬ 
termine  if  they  were  adequate  and  if  they  were  implemented  to 
prevent  or  detect  the  occurrence  of  potential  risks.  Many  of 
the  ICRs  we  reviewed  missed  important  evaluation  factors,  did 
not  evaluate  all  of  the  controls  associated  with  each  internal 
control  area,  and  were  not  adequately  documented.  ICRs  were  in¬ 
complete  because  HHS  did  not  require  component  agencies  to  per¬ 
form  all  the  steps  OMB  considers  necessary  in  its  guidelines, 
and  documentation  was  incomplete  because  component  agencies  did 
not  always  follow  HHS'  instructions. 

ICRS  DID  NOT  EVALUATE 
ALL  IMPORTANT  FACTORS 


The  ICRs  and  the  ongoing  efforts  approved  as  ICRs  which  we 
reviewed  generally  did  not  include  (1)  a  comprehensive  evalua¬ 
tion  of  the  general  control  environment,  (2)  documentation  of 
event  cycles,  or  (3)  evaluation  of  the  appropriateness  of  con¬ 
trol  techniques  and  objectives.  In  addition,  many  of  the  ICRs 
did  not  include  actual  testing  of  controls  to  determine  whether 
their  operation  was  effective  and  in  compliance  with  established 
policies  and  procedures. 

OMB's  internal  control  guidelines  provide  that  an  adequate 
review  of  internal  controls  should  include 

— identification  and  documentation  of  event  cycles  which 
are  processes  used  to  (1)  initiate  and  perform  related 
activities,  (2)  create  the  necessary  documentation,  and 
(3)  gather  and  report  related  data.  We  believe  this  is 
necessary  because  a  reviewer  cannot  appreciate  the  objec¬ 
tives  of  a  control  unless  the  role  of  the  control  in  the 
entire  sequence  of  events  is  known.  For  example,  a  re¬ 
viewer  cannot  determine  the  effectiveness  of  a  computer¬ 
ized  edit  check  for  medical  necessity  until  he/she  knows 
that  only  eligible  individuals  are  allowed  to  submit 
claims  into  the  payment  system  and  that  a  manual  check  of 
the  claim  will  be  made  only  if  the  computer  fails  to 
process  the  claim. 

— an  analysis  of  the  general  control  environment  which 
would  include  factors,  such  as  management  attitude,  or¬ 
ganizational  structure,  personnel,  budgeting  and  report¬ 
ing  practices,  policies  and  procedures,  and  organiza¬ 
tional  checks  and  balances.  We  believe  such  an  analysis 


25 


is  necessary  because  it  reveals  the  capability  of  spe¬ 
cific  controls  to  accomplish  their  objectives  considering 
their  environment.  For  example,  if  management  is  not 
committed  to  the  objective  of  payment  accuracy,  but  in¬ 
stead  is  more  interested  in  making  payments  in  a  timely 
manner,  it  may  choose  to  bypass  computerized  accuracy 
edits  or  circumvent  manual  payment  accuracy  checks  which 
tend  to  slow  down  claims  processing. 

— evaluation  and  testing  the  internal  controls  within  the 
event  cycle.  We  believe  this  is  necessary  in  order  to 
determine  if  the  controls  required  by  existing  policies 
and  procedures  are  in  place,  if  they  are  adequate  to  ac¬ 
complish  their  objective,  and  if  they  are  providing  the 
level  of  control  anticipated. 

— reporting  of  results.  We  believe  this  is  necessary  in 
order  to  inform  management  about  which  controls  are  ade¬ 
quate  and  which  are  inadequate  and  need  to  be  improved. 

The  HHS  guidelines  do  not  require  the  kind  of  comprehensive 
and  systematic  analysis  contemplated  by  the  OMB  guidelines. 

They  do  not  require  the  identification  or  documentation  of  event 
cycles  or  an  analysis  of  the  general  control  environment. 
Instead,  they  suggest  only  the  evaluation  and  testing  of  con¬ 
trols  in  place  and  the  reporting  of  results.  Without  this  type 
of  analysis  it  is  difficult  to  evaluate  the  ability  of  existing 
internal  controls  to  effectively  accomplish  appropriate  objec¬ 
tives. 


Most  of  the  ICRs  we  reviewed  were  inadequate  for  the  pur¬ 
pose  of  determining  the  effectiveness  of  the  controls  in  place 
because  they  did  not  include  all  the  elements  of  review  needed 
to  fully  evaluate  the  internal  controls.  In  some  cases  the  ele¬ 
ments  were  not  considered  at  all,  and  in  other  cases,  the  ele¬ 
ments  were  only  minimally  addressed  with  little  evidence  of 
analysis.  The  following  chart  shows  the  various  ICR  elements 
discussed  in  the  paragraphs  above  which  we  believe  were  not 
adequately  included  in  the  ICRs  we  reviewed  at  each  listed  com¬ 
ponent  agency. 


26 


HHS 

components 

ICR  elements 

HCFA 

SSA 

PHS 

OHDS 

Identification  and  documentation 

of  event  cycles 

Analysis  of  general  control 

X 

X 

environment 

Management  attitude 

X 

X 

X 

X 

Organization  structure 
Budgeting  and  reporting 

X 

X 

X 

practices 

X 

X 

X 

Policies  and  procedures 
Delegation  and  communication 

X 

X 

of  authority 

X 

X 

X 

X 

Evaluation  and  testing  of  internal 

control  objectives 

X 

X 

X 

HHS '  ICR  guidelines  recommend  that  the  components  substi¬ 
tute  ongoing  efforts  in  lieu  of  conducting  new  ICRs  wherever 
possible.  Acceptable  substitutes  may  be  reviews  performed  by 
GAO,  OIG,  management,  or  other  control  agencies  which  meet  the 
objectives  of  an  ICR.  For  1983,  SSA  substituted  871  ongoing 
efforts  for  ICRs  and  completed  two  new  ICRs.  It  elected  to  do 
this  in  order  to  meet  HHS 1  short  time  frames  and  to  avoid  a 
large  dedication  of  staff  time  to  conduct  new  ICRs.  SSA’s  sub¬ 
stitutes  represent  about  77  percent  of  HHS’  ICR  efforts. 

We  reviewed  a  sample  of  120  approved  ongoing  efforts  at 
various  SSA  offices  and  concluded  that  these  efforts  were  com¬ 
pliance  reviews,  essentially  examining  the  units’  adherence  to 
existing  policies  and  procedures.  These  efforts  did  not  comply 
with  OMB  guidelines  because  they  did  not  consider  the  general 
control  environment,  identify  event  cycles,  determine  the  need 
for,  or  appropriateness  of,  additional  control  techniques,  or 
evaluate  control  objectives. 

SSA  is  drafting  revised  procedures  which  will  require  field 
office  operations  and  controls  to  be  routinely  reviewed.  SSA 
plans  to  use  these  reviews  as  ICR  substitutes  for  all  of  its 
field  offices.  As  currently  drafted,  this  guide  will  produce 
incomplete  ICRs  because  it  does  not  require  all  the  steps  pro¬ 
vided  for  in  OMB's  guidelines,  such  as  an  evaluation  of  the 
appropriateness  of  controls  and  of  the  general  control  environ¬ 
ment. 

SOME  ICRS  DID  NOT  EVALUATE 
ALL  CONTROLS  INCLUDED  IN  THE 
INTERNAL  CONTROL  AREA 

HHS '  guidance  states  that  ICRs  are  intended  to  assess  all 
controls  associated  with  the  full  range  of  activities  for  a 


27 


specific  function  within  an  internal  control  area.  At  SSA,  how¬ 
ever,  the  ICR  performed  on  the  "sales"  function  at  headquarters 
evaluated  only  controls  over  the  sale  of  such  resources  as  waste 
paper  and  silver.  Reimbursable  services  amounting  to  $5.2  mil¬ 
lion  in  fiscal  year  1982  were  not  included  in  this  evaluation 
because  the  individual  who  performed  the  ICR  did  not  believe 
that  he  was  supposed  to  review  the  internal  controls  over  these 
services. 

One  of  the  ICRs  performed  at  CDC  was  on  the  accounts  re¬ 
ceivable  function  within  its  Financial  Management  Office.  How¬ 
ever,  the  reviewer  did  not  evaluate  all  controls  over  intergov¬ 
ernmental  receivables  (moneys  paid  by  other  government  agencies 
for  services  performed  by  CDC)  during  the  ICR.  We  believe  this 
happened  because  intergovernmental  receivables  were  inadver¬ 
tently  omitted  from  the  internal  control  area  for  this  function 
in  the  Financial  Management  Office  during  the  agency's  segmenta¬ 
tion  process.  Although  we  did  not  attempt  to  identify  all  of 
the  ICR's  omissions,  a  CDC  official  stated  that  controls  over 
two  programs  totaling  about  $70  million  were  not  reviewed  by  the 
ICR  team.  We  recognize  that  this  problem  is  attributable  to  a 
faulty  segmentation  process,  but  the  result  is  an  inadequate  ICR 
of  accounts  receivable  because  of  a  limitation  in  its  scope. 

It  should  be  noted  that,  had  this  ICR  been  performed  ac¬ 
cording  to  OMB  guidelines,  the  event  cycles  would  have  been 
identified.  Thus,  the  reviewers  should  have  recognized  that 
intergovernmental  receivables  were  missing  from  the  total 
receivables  handled  by  the  Financial  Management  Office,  and  this 
oversight  may  have  been  avoided. 

Our  findings  regarding  the  inadequacy  of  HHS'  ICR  efforts 
are  consistent  with  those  reported  by  the  HHS  OIG.  That  office 
has  reported  that,  based  on  the  ICRs  and  ongoing  efforts  it  re¬ 
viewed,  many  of  the  ICRs  and  most  of  the  ongoing  efforts  were 
inadequate  in  scope. 

NEED  FOR  BETTER 
DOCUMENTATION  OF  ICRS 


HHS'  guidelines  and  instructions  stress  the  need  to  docu¬ 
ment  the  ICR  process.  They  specifically  assign  responsibility 
to  the  individual  performing  an  ICR  to  obtain  sufficient  eviden 
tial  matter  through  inspections,  observations,  and  inquiries  of 
officials  to  afford  a  reasonable  basis  for  an  opinion  regarding 
the  adequacy  of  internal  controls  for  a  specific  internal  con¬ 
trol  area.  That  individual  is  also  responsible  for  preparing 
working  papers  to  permanently  document  the  review.  Working 
papers  would  include  such  items  as  review  procedures,  the  key 
factors  considered,  and  narrative  explanations  in  s>’ C;'\cient 


28 


detail  to  Cully  explain  the  review  process.  These  documentation 
guidelines  appear  to  be  adequate,  but  were  not  always  followed. 


The  ICRs  we  reviewed  at  PHS  did  not  generally  contain  ade¬ 
quate  documentation  that  either  the  appropriateness  of  internal 
controls  in  place  had  been  evaluated  or  control  procedures  had 
been  tested.  PHS  officials  stated  that  reviewers  were  allowed 
to  forego  documentation  of  the  ICRs  in  the  interest  of  meeting 
tight  time  frames. 

One  of  the  two  ICRs  performed  by  SSA  did  not  adequately 
document  the  appropriateness  of  the  controls  in  place  or  the 
testing  of  control  procedures.  The  reviewer  did  not  realize 
that  these  activities  had  to  be  documented.  Also,  many  of  the 
ongoing  efforts  we  reviewed  did  not  document  the  testing  of  con¬ 
trol  procedures.  This  was  due  to  the  fact  that  ongoing  efforts 
were  not  required  to  be  documented  for  their  original  purposes, 
and  HHS  guidelines  are  not  clear  whether  they  require  that  on¬ 
going  efforts  meet  the  documentation  requirements  for  new  ICRs. 

Complete  documentation  is  important  because  without  it 
neither  we  nor  others  have  a  sufficient  basis  for  judging  the 
adequacy  of  the  ICRs.  HHS'  OIG  also  reported  inadequate  ICR 
documentation  for  PHS,  SSA,  and  HHS*  regional  offices. 

PROPOSED  CORRECTIVE  ACTIONS 
AND  HHS1  RESPONSE - 


In  our  draft  report,  we  proposed  that  HHS 

—revise  departmental  instructions  to  require  ICRs  that 
either  include  all  the  steps  contained  in  OMB' s  guide¬ 
lines  for  ICRs  or  meet  the  objectives  of  those  steps; 

— monitor  review  documentation  of  all  component  agencies 
to  determine  compliance  with  HHS  requirements;  and 

—emphasize  to  all  component  agencies,  through  such  means 
as  training  or  monitoring,  the  importance  of  adequately 
documenting  review  efforts. 

In  responding  to  our  draft  report,  HHS  concurred  with  our 
proposed  actions.  HHS  said  it  would  review  its  policies  and 
procedures  for  ICRs  with  the  goal  of  revising  them  to  include 
all  steps  and  objectives  contained  in  OHB's  guidelines.  Also, 
HHS  said  that  it  recognized  the  importance  of  adequately  docu¬ 
menting  ICRs.  An  ASMB  official  told  us  that  responsibility  for 
some  activities,  such  as  monitoring,  could  shift  when  the  De¬ 
partment's  recent  directive  on  streamlining  the  Office  of  the 
Secretary  (see  p.  4)  takes  effect,  but  it  is  unclear  what  impact 
this  shift  will  have  on  the  nature  of  the  monitoring  done. 


29 


CHAPTER  5 


OTHER  IMPROVEMENTS  NEEDED  IN 
HHS 1  INTERNAL  CONTROL  EFFORTS 


Although  HHS  tried  to  make  implementation  of  the  act  an 
integral  part  of  its  management  structures  and  processes,  there 
are  certain  aspects  of  its  first-year  effort  that  need  to  be  im¬ 
proved.  More  specifically,  for  all  phases  of  its  internal  con¬ 
trol  evaluation  and  improvement  effort,  HHS  needs  to  provide  for 
(1)  a  systematic  monitoring  effort,  (2)  additional  training  to 
assure  that  staff  understand  objectives  and  procedures,  and 
(3)  adequate  coverage  of  ADP  activities.  In  addition,  we  be¬ 
lieve  that  the  Secretary's  annual  report  on  the  Department's 
system  of  internal  control  should  include  all  known  material 
weaknesses  rather  than  just  weaknesses  specifically  identified 
during  its  ICR  process. 

MONITORING  EFFORTS 
NEED  TO  BE  IMPROVED 


Although  OMB  guidelines  provide  that  agencies  should  estab¬ 
lish  monitoring  systems  to  ensure  that  VAs  and  ICRs  are  per¬ 
formed  adequately,  an  ASMB  official  involved  in  the  evaluation 
effort  said  that  sufficient  staff  time  was  not  made  available  to 
assure  the  quality  of  much  of  the  work  done  under  the  internal 
control  evaluation  and  improvement  effort.  Additional  monitor¬ 
ing  efforts  by  HHS  could  have  identified  many  of  the  problems  we 
and  OIG  noted  and  resulted  in  more  immediate  corrective  action. 

In  his  March  8,  1982,  directive,  the  Secretary  made  the 
Assistant  Secretary  for  Management  and  Budget  responsible  for 
monitoring  department-wide  performance  under  the  internal  con¬ 
trol  evaluation  and  improvement  program.  He  stated  that  the 
Assistant  Secretary  would,  in  coordination  with  OIG,  periodi¬ 
cally  test  the  validity  of  information  component  agencies  sub¬ 
mitted  to  the  Office  of  the  Secretary.  In  addition,  he  directed 
that  component  agencies  monitor  their  own  performance  under  the 
program.  OIG  evaluated  ICRs  and  selected  aspects  of  the  segmen¬ 
tation  and  VA  processes.  However,  neither  OIG  nor  ASMB  made  a 
systematic,  overall  evaluation  of  the  segmentation  and  VA  proc¬ 
esses,  and  the  amount  and  nature  of  monitoring  by  component 
agencies  varied. 

At  the  departmental  level,  ASMB  generally  limited  its  moni¬ 
toring  efforts  to  determining  whether  component  agencies  com¬ 
pleted  required  process  steps  as  opposed  to  evaluating  the 
quality  of  those  steps.  An  ASMB  official  attributed  limited 
monitoring  efforts  to  resource  constraints.  He  said  that  the 


full-time  and  part-time  staff  assigned  to  the  effort  did  not 
have  enough  time  to  develop  policies  and  procedures,  respond  to 
questions,  provide  overall  direction,  prepare  reports,  assure 
that  components  met  established  schedules,  and  meet  other  re¬ 
sponsibilities  outside  of  the  internal  control  effort  as  well  as 
to  review  the  quality  of  work  done. 

Monitoring  efforts  at  the  component  level  varied  consider¬ 
ably,  depending  on  the  level  of  staffing  made  available  for  such 
efforts.  For  example,  at  SSA  the  staff  handling  the  internal 
control  effort  did  some  monitoring  but  did  not  have  enough  time 
to  systematically  review  the  quality  of  the  work  done  as  well  as 
to  manage  and  direct  the  internal  control  effort  and  perform 
their  responsibilities  in  other  areas.  PHS,  on  the  other  hand, 
assigned  staff  specifically  to  evaluate  the  segmentation  proc¬ 
ess,  and  VA  and  ICR  results.  Eleven  task  forces  made  up  of 
staff  selected  from  the  various  PHS  agencies  reviewed  the  re¬ 
sults  of  the  segmentation  process.  Similarly,  officials  in  the 
Office  of  the  Assistant  Secretary  for  Health  examined  each  of 
the  more  than  900  VAs  and  128  ICRs  prepared  by  PHS  components. 

In  March  1984,  HHS  announced  a  reorganization  plan  for  the 
Office  of  the  Secretary  which  will  shift  the  principal  monitor¬ 
ing  responsibility  for  the  Department's  efforts  under  the  Finan¬ 
cial  Integrity  Act  from  ASMB  to  OIG.  As  of  April  1984  it  was 
not  clear  how  this  shift  will  affect  the  nature  of  HHS'  monitor¬ 
ing,  but  we  plan  to  follow  this  as  part  of  our  review  of  HHS' 
second-year  efforts  under  the  act.  We  plan  to  look  closely  at 
the  number  of  staff  available,  their  expertise,  and  the  nature 
of  the  relationship  between  the  Secretary's  Office  and  OIG, 
especially  as  it  relates  to  the  smooth  development  and  implemen¬ 
tation  of  consistent  policies  and  procedures  throughout  the 
Department. 

ADDITIONAL  TRAINING  COULD  IMPROVE 
IMPLEMENTATION  OF  THE  ACT 


HHS  provided  guidance  in  its  technical  memorandums  on  how 
to  conduct  its  internal  control  evaluation  effort.  Also,  HHS 
and  its  components  provided  guidance  to  some  persons  involved  in 
the  effort.  The  guidance  provided  was  often  not  sufficient  to 
ensure  that  staff  understood  the  objectives  of  the  effort  and 
correctly  implemented  segmentation,  VA,  and  ICR  procedures.  OMB 
guidelines  state  that  training  should  be  provided  to  explain  the 
objectives  and  procedures  for  implementing  the  act. 

We  believe  that  additional  training,  along  with  other  im¬ 
provements  we  are  recommending,  could  help  overcome  the  problems 
we  identified  with  the  segmentation,  VA,  and  ICR  phases  of  HHS' 
implementation  effort.  For  example,  additional  training  on  the 


31 


objectives  of  the  segmentation  process  and  more  explanation  of 
internal  control  functional  areas  and  the  term  “significant  re¬ 
sponsibility"  could,  along  with  revised  instructions,  help  pre¬ 
vent  the  misunderstandings  that  resulted  in  exclusion  of  various 
HHS  activities  from  the  Department's  inventory  of  internal  con¬ 
trol  areas. 

In  addition,  revised  instructions  and  additional  training 
on  the  objectives  and  methodology  for  doing  VAs  could  help  pre¬ 
vent  problems  like  those  experienced  by  SSA  field  staff.  Some 
of  these  staff  said  they  may  have  rated  their  vulnerabilities 
differently,  and  some  staff  said  they  did  not  understand  the  ob¬ 
jectives  of  the  process.  (See  p.  23.)  Additional  training 
should  also  help  staff  at  CDC  who  said  they  had  no  previous 
training  or  adequate  instructions  for  conducting  ICRs  and  did 
not  understand  what  they  needed  to  do  to  perform  ICRs  that  fully 
complied  with  HHS '  instructions . 

ADP  ACTIVITIES  WERE  NOT  ADEQUATELY 
CONSIDERED  AND  EVALUATED 

To  avoid  duplication  of  effort,  HHS  directed  its  component 
agencies  to  exclude  ADP  activities  from  much  of  the  internal 
control  evaluation  and  improvement  process.  It  has  relied  on 
the  Department's  ADP  security  program  established  in  response  to 
OMB  Circular  A-71  (Transmittal  #1,  Security  of  Federal  Automated 
Information  Systems)  to  evaluate  the  internal  controls  associ¬ 
ated  with  its  ADP  function.  We  believe  HHS'  desire  to  avoid 
duplication  of  effort  was  an  appropriate  attempt  to  conserve  re¬ 
sources.  However,  neither  the  scope  of  activities,  the  adminis¬ 
trative  procedures,  nor  the  degree  of  management  emphasis  asso¬ 
ciated  with  the  Department's  ADP  security  program  were  adequate 
to  meet  the  provisions  in  OMB's  internal  control  guidelines. 

HHS '  component  agencies  did  not  perform  new  VAs  or  ICRs  for 
ADP  activities  for  purposes  of  the  Financial  Integrity  Act. 
Instead,  HHS  substituted  assessments  and  analyses  done  under  its 
ADP  security  program.  However,  the  scope  of  HHS*  efforts  under 
its  ADP  security  program  was  generally  limited  to  the  physical 
security  of  ADP  facilities,  equipment,  and  operations.  HHS  did 
not  generally  evaluate  other  important  types  of  controls  over 
ADP  systems  that  are  discussed  in  OMB's  guidelines,  such  as  con¬ 
trols  to  produce  accurate,  complete,  and  timely  output. 

Besides  Lhe  limitations  on  the  scope  of  efforts  mentioned 
above,  the  ADP  security  assessments  substituted  for  VAs  were  in¬ 
adequate  because  they  did  not  address  all  the  factors  considered 
necessary  in  OMB's  internal  control  guidelines.  Specifically, 
the  ADP  security  assessments  did  not  include  a  preliminary  eval¬ 
uation  of  safeguards  and  covered  relatively  few  of  the  elements 


32 


A 


of  inherent  risk  or  the  general  control  environment.  In  addi¬ 
tion,  we  believe  that  all  five  ADP  security  analyses  we  evalu¬ 
ated  at  HCFA  and  SSA  were  not  adequate  ADP  ICRs.  For  example, 
one  addressed  physical  security  controls  only  and  did  not  ad¬ 
dress  other  aspects  of  internal  controls  cited  in  OMB' s  guide¬ 
lines. 

It  appears  that  HHS  management  has  given  only  limited  em¬ 
phasis  to  considering  and  evaluating  ADP  activities  as  part  of 
the  process  prescribed  by  the  OMB  guidelines.  For  example: 

— Although  OMB  guidelines  call  for  adequate  documentation 
and  monitoring,  HHS  did  not  prescribe  what  documentation 
should  be  maintained  for  its  ADP  internal  control  evalua¬ 
tions  and  did  not  establish  an  effective  monitoring  pro¬ 
gram  for  its  ADP  Financial  Integrity  Act  efforts. 

— HHS  designated  systems  security  officers  to  oversee  its 
ADP  efforts  who  did  not  have  the  authority  to  direct  re¬ 
sources  to  fulfill  the  requirements  of  HHS'  internal  con¬ 
trol  evaluation  and  improvement  program. 

— Of  200  ADP  application  systems  identified  at  SSA  and 
HCFA,  the  systems  security  officers  reported  completing 
reviews  of  14  as  of  September  30,  1983,  and  planned  to 
complete  8  more  in  fiscal  year  1984.  In  order  to  accom¬ 
plish  HHS*  requirement  that  all  systems  be  evaluated 
within  5  years,  the  systems  security  officers  will  have 
to  direct  an  average  of  46  evaluations  a  year  for  the 
next  4  years. 

— As  a  result  of  HHS'  policy  to  separate  ADP  from  the  other 
15  HHS  functions,  staff  conducting  VAs  and  ICRs  of  the 
other  functions  did  not  consider  the  results  of  ADP  secu¬ 
rity  program  assessments  or  reviews.  Such  consideration 
is  important  because  ADP  is  integral  to  carrying  out  many 
of  the  activities  included  in  other  functions,  such  as 
payroll  and  entitlement  program  payments.  Problems  with 
ADP  could  significantly  affect  the  vulnerability  rating 
for  each  function,  and  the  results  of  ICRs  could  be  mis¬ 
leading  if  the  ADP  controls  are  not  evaluated. 

HHS  has  recognized  the  need  to  improve  its  coverage  of  ADP 
under  its  internal  control  evaluation  program  and  to  better  in¬ 
tegrate  its  ADP  assessments  and  reviews  with  those  conducted  for 
the  other  internal  control  functions.  In  her  January  24,  1984, 
report  to  the  President  and  the  Congress  on  HHS'  first-year 
internal  control  evaluation  effort,  the  Secretary  said  HHS  was 
developing  policies  and  procedures  to  address  this  issue. 


33 


HHS 1  YEAR-END  REPORT 
SHOULD  BE  IMPROVED 

In  her  report  on  HHS'  first-year  implementation  of  the  act, 
the  Secretary  described  the  Department’s  internal  control  evalu¬ 
ation  process  and  progress,  reported  material  weaknesses  to¬ 
gether  with  corrective'  actions  taken  or  planned,  and  said  she 
had  reasonable  assurance  the  Department's  internal  controls  were 
operating  as  called  for  in  the  act  (see  p.  7).  The  Secretary 
also  reported  that  nonmaterial  weaknesses  were  identified  during 
the  evaluation  process  (although  they  were  not  specified)  and 
mentioned  HHS*  efforts  to  improve  its  operations  in  some  "cross¬ 
cutting"  functions.  These  functions  include  debt,  cash,  and 
personnel  management;  audit  resolution;  prompt  payments;  and 
systems  enhancements. 

In  preparing  its  first-year  report  on  the  adequacy  of  its 
internal  controls,  HHS  decided  to  report  only  those  internal 
control  weaknesses  specifically  identified  by  its  ICRs  or  their 
substitutes.  This  decision  was  not  consistent  with  instructions 
included  in  a  July  29,  1983,  memorandum  from  OMB* s  Deputy  Direc¬ 
tor  to  the  Secretary  of  HHS.  OMB  stated  that  each  department 
and  agency  needed  to  identify,  analyze,  and  record  known  mate¬ 
rial  internal  control  weaknesses  from  all  sources  for  use  in 
preparing  its  year-end  statement  on  the  status  of  controls. 

During  the  last  few  years,  we  and  OIG  have  reported  a  number 
of  significant  problems  to  HHS  relating  to  internal  control 
weaknesses  that  were  not  discussed  in  HHS'  report.  We  believe 
that  some  of  these  control  weaknesses  are  more  material  than 
many  of  those  identified  by  HHS  during  its  first-year  evaluation 
effort  and  should  have  been  included  in  HHS'  report.  HHS  re¬ 
ported,  for  example,  that  small  equipment  which  was  open  to 
theft  in  one  of  its  regional  offices  was  not  marked  with  iden¬ 
tifying  numbers.  In  contrast,  some  of  the  problems  we  identi¬ 
fied  but  which  HHS  did  not  report  and  which  remain  uncorrected 
follow. 

HCFA  programs  have  experienced  overpayments  because  medi¬ 
cally  unnecessary  services  were  sometimes  paid  for  on  behalf  of 
beneficiaries.  In  February  1983  (HRD-83-16),  we  reported  that 
these  overpayments  were  attributable  to  weaknesses  in  the  inter¬ 
nal  controls.  More  specifically,  HCFA's  guidelines  for  Medicare 
paying  agents  did  not  require  sufficient  computer  edits  to  iden¬ 
tify  claims  for  potentially  medically  unnecessary  services.  In 
addition,  HCFA's  policies  governing  payment  for  such  services 
were  not  sufficient  to  assure  that  paying  agents  would  appropri¬ 
ately  deny  payment  for  all  such  services  after  manual  review. 
HCFA  also  did  not  direct  its  evaluations  of  paid  claims  in  ways 
that  would  adequately  assure  that  payments  for  medically  unnec¬ 
essary  services  were  identified  and  recouped. 


34 


Although  HHS  has  experienced  a  number  of  significant  prob¬ 
lems  in  the  area  of  entitlements  and  benefit  payments/  the  Sec¬ 
retary's  annual  report  indicates  that  ICRs  of  the  function  "sub¬ 
sidies/  entitlements  and  benefit  payments”  did  not  disclose  any 
material  weaknesses.  On  the  basis  of  past  GAO  work,  we  believe 
that  material  weaknesses  exist  in  SSA's  entitlement  and  benefit 
payment  programs.  For  example,  we  have  reported  on  internal 
control  weaknesses  in  the  social  security  wage  reporting  system 
(HRD-82-19,  Dec.  10,  1981)  which  we  believe  have  given  SSA  con¬ 
tinued  problems  with  maintaining  accurate  wage  data. 

Specifically,  controls  are  inadequate  to  prevent  erroneous 
wage  data  submitted  by  employers  from  getting  into  SSA's  wage 
data  base.  In  addition,  SSA  does  not  have  adequate  procedures 
for  acquiring  needed  wage  and  employee  information  for  posting 
large  volumes  of  unposted  wages  to  appropriate  accounts.  Fur¬ 
ther,  SSA  has  inadequate  procedures  to  assure  that  beneficiary 
post-retirement  wages  are  posted  accurately  and  in  a  timely 
manner  in  order  to  recompute  benefit  amounts. 

We  have  reported  on  several  other  internal  control  problems 
at  SSA.  For  example,  we  reported  (HRD-82-18,  Apr.  28,  1982), 
that  SSA  identified  about  2.1  million  records  where  two  or  more 
people  have  the  same  social  security  number.  This  problem  af¬ 
fects  the  timeliness  and  accuracy  of  processing  claims  for  bene¬ 
fit  payments.  With  respect  to  SSA's  Supplemental  Security  In¬ 
come  program,  we  have  reported  on  operating  and  internal  control 
weaknesses  that  resulted  in  over  $125  million  in  erroneous  bene¬ 
fit  payments  (HRD-81-4,  Feb.  4,  1981). 

We  believe  that  HHS  should  record  and  track  control  weak¬ 
nesses  identified  by  all  sources  and,  where  they  are  considered 
to  be  material,  include  them  in  its  year-end  report. 

PROPOSED  CORRECTIVE  ACTIONS 
AND  HHS  *  RESPONSE' 

In  our  draft  report,  we  proposed  that  HHS  (1)  provide  for 
additional  training  on  and  monitoring  of  the  segmentation,  VA, 
and  ICR  processes  and  (2)  revise  its  ADP  security  program  to  re¬ 
quire  the  assessments  and  reviews  included  in  ONB  guidelines  for 
implementing  the  Financial  Integrity  Act.  In  addition,  we  pro¬ 
posed  that  the  Secretary  require  that  internal  control  weak¬ 
nesses  identified  by  OIG,  GAO,  and  others  outside  the  internal 
control  evaluation  process  be  recorded,  tracked,  and  if  con¬ 
sidered  material,  included  in  annual  reports  to  the  President 
and  the  Congress. 


35 


HHS  concurred  with  our  proposals,  stating  that  it  was  a 
strong  advocate  of  providing  additional  training  on  and  monitor¬ 
ing  of  all  aspects  of  its  internal  control  initiative.  It  be¬ 
lieves  its  efforts  to  combine  the  ADP  security  program  with  Fi¬ 
nancial  Integrity  Act  requirements  will  be  successful.  Further, 
HHS  said  its  position  is  to  correct  all  internal  control  weak¬ 
nesses  regardless  of  who  identifies  them  and  that  it  will  review 
procedures  for  recording,  tracking,  and  reporting  material  weak¬ 
nesses. 


CHAPTER  6 


IMPROVEMENTS  ARE  NEEDED  IN  HHS' 
REVIEWS  OF  ACCOUNTING  SYSTEMS 


HHS'  written  procedures  for  evaluating  its  accounting  sys¬ 
tems  generally  appeared  reasonable  for  the  first  year.  However , 
component  agencies  did  not  adequately  follow  the  established  re¬ 
view  procedures.  They  neither  properly  tested  accounting  sys¬ 
tems  to  determine  whether  they  operated  in  accordance  with  the 
Comptroller  General's  principles  and  standards  nor  adequately 
documented  the  results  of  their  reviews.  These  problems  appear 
to  stem  from  a  number  of  reasons,  including  the  newness  of  the 
effort  and  the  relatively  short  time  available  the  first  year, 
given  the  substantial  amount  of  work  required  to  adequately  test 
accounting  systems.  HHS  could  improve  its  subsequent  years' 
efforts  by  monitoring  the  adequacy  of  efforts  undertaken  and 
considering  for  inclusion  in  its  annual  reports  on  accounting 
systems  all  instances  of  nonconformance  known  to  it  from  sources 
other  than  its  own  evaluations,  such  as  GAO  and  OIG  reports. 

MORE  AND  BETTER  TESTING 
OF  ACCOUNTING  SYSTEMS  IS  NEEDED 


HHS  did  not  adequately  test  any  of  the  10  accounting  sys¬ 
tems  it  reviewed  during  its  first-year  effort.1  Six  of  the 
10  systems  received  little,  if  any,  testing.  The  remaining  four 
were  tested  by  a  limited  examination  of  a  few  system  transac¬ 
tions,  and  did  not  cover  all  of  the  Comptroller  General's  prin¬ 
ciples  and  standards.  None  of  the  testing  was  done  on  a  statis¬ 
tical  sampling  basis  as  called  for  by  HHS'  procedures,  nor  were 
ADP  systems  controls  tested.  A  PHS  official,  for  example,  at¬ 
tributed  insufficient  testing  to  time  and  resource  constraints. 

BETTER  DOCUMENTATION  OF  ACCOUNTING 
6Y5TEM  REVIEWS  NEEDED 

HHS'  instructions  for  accounting  system  reviews  state  that 
the  results  of  each  review  must  be  fully  documented  and  the 
files  permanently  retained.  Specifically,  the  instructions 
state  that  all  "no"  and  "N/A"  answers  to  standardized  questions 
on  the  checklist  for  reviewing  compliance  with  GAO's  accounting 


iHHS  reported  that  it  has  a  total  of  22  accounting  systems. 
However,  we  recently  completed  a  survey  of  its  financial  man¬ 
agement  systems  and  are  working  with  the  Department  to  reach 
agreement  on  the  number  of  systems  it  should  classify  as  ac¬ 
counting  systems. 


37 


principles  and  standards  must  be  fully  explained  in  writing  and 
permanently  retained.  The  instructions  further  state  that  "yes" 
answers  must  be  verified  "...  through  statistical  sampling 
techniques,  interviews,  and  on-site  observations"  and  the 
results  "...  must  be  recorded  in  writing  and  filed  with  the 
permanent  workpapers." 

HHS  did  not  adequately  document  any  of  the  10  accounting 
system  reviews  it  performed.  For  6  of  the  10  systems,  no  docu¬ 
mentation  was  available  showing  methods  used  to  obtain  informa¬ 
tion  or  explaining  instances  of  noncompliance  with  the  Comp¬ 
troller  General's  principles  and  standards.  The  other  four  sys¬ 
tem  reviews  had  some  workpaper  documentation,  but  it  was  not 
complete  regarding  testing  that  was  done  and/or  the  basis  for 
conclusions  reached. 

MONITORING  NEEDED 


HHS'  policies  and  procedures  for  evaluating  its  accounting 
systems  did  not  provide  for  a  monitoring  program.  In  the  ab¬ 
sence  of  OMB  guidelines  for  accounting  system  reviews,  we  be¬ 
lieve  that  all  departments  and  agencies  should  monitor  to  test 
compliance  with  departmental  or  agency  requirements.  This  is 
necessary  for  the  same  reasons  OMB  included  monitoring  under  the 
internal  control  evaluation  and  improvement  program.  This 
function  could  be  performed  by  either  HHS  program  or  adminis¬ 
trative  staff  or  the  OIG. 

ASMB  officials  responsible  for  HHS'  accounting  system  re¬ 
view  effort  told  us  that  there  was  insufficient  time  for  their 
staff  to  monitor  the  results  of  the  work  done  during  the  first 
year.  The  OIG,  as  a  part  of  its  review  of  HHS'  implementation 
of  the  Financial  Integrity  Act,  evaluated  3  of  HHS'  10  system 
reviews  and  noted  deficiencies  with  the  Department's  testing  and 
documentation  procedures  similar  to  the  problems  we  identified. 
However,  we  believe  that  monitoring  of  more  system  reviews  is 
necessary  to  adequately  ascertain  compliance  on  a  routine  basis. 

ALL  SIGNIFICANT  KNOWN  PROBLEMS 
SHOULD  BE  REPORTED 

HHS'  first-year  work  did  not  include  a  systematic  effort  to 
inventory  all  known  problems  with  the  Department’s  accounting 
systems  from  such  sources  as  reports  and  studies  by  GAO,  OIG, 
and  others.  One  such  problem  we  previously  reported  on 
(HRD-81-4)  is  the  lack  of  appropriate  controls  to  prevent  im¬ 
proper  payments  under  SSA's  disbursement  systems.  This  problem 
was  not  identified  in  the  Secretary's  report  but  remained  uncor¬ 
rected.  We  believe  that  all  known  instances  of  deviations  from 
the  Comptroller  General's  principles  and  standards  should  be 


38 


identified  and  those  that  are  considered  to  be  material  should 
be  reported  in  the  Secretary's  future  annual  reports  along  with 
corrective  actions  planned,  underway,  or  completed.  Such  action 
should  also  facilitate  efforts  to  follow  up  on  accounting  sys¬ 
tems  problems  to  ensure  that  appropriate  corrective  actions  are 
taken . 

PROPOSED  CORRECTIVE  ACTIONS 
AND  HHS '  RESPONSE 

In  our  draft  report,  we  proposed  that  HHS  take  steps  to  en¬ 
sure  that  future  reviews  of  accounting  systems  include  adequate 
testing  and  documentation  of  review  procedures  and  suggested 
that  it  perform  additional  monitoring  of  review  procedures  to 
determine  the  adequacy  of  the  testing,  verification,  and  docu¬ 
mentation  of  results.  In  addition,  we  proposed  that  HHS  evalu¬ 
ate  all  instances  of  nonconformance  with  the  Comptroller  Gen¬ 
eral’s  accounting  principles  and  standards  that  the  Department 
is  aware  of  and  include  those  that  are  considered  material  in 
future  annual  reports. 

HHS  concurred  with  our  proposals.  The  Department  said, 
however,  that  it  would  prefer  to  obtain  official  accounting  sys¬ 
tem  review  procedures  before  it  issues  additional  instructions 
to  component  agencies.  In  addition,  HHS  said  that  it  intends  to 
revise  its  procedures  to  assure  that  all  instances  of  noncon¬ 
formance  with  the  Comptroller  General's  principles  and  standards 
are  evaluated  and,  where  appropriate,  included  in  future  annual 
reports.  Although  the  act  requires  neither  GAO  nor  OMB  to  issue 
guidelines  for  accounting  systems  reviews,  OMB  has  assumed 
responsibility  for  issuing  such  guidelines.  OMB  has  consulted 
with  us  on  their  development  and  expects  to  issue  them  in  the 
near  future. 


» 


39 


APPENDIX  I 


APPENDIX  I 


DEPARTMENT  OF 
HEALTH  AND  HUMAN  SERVICES* 
OPERATING  AND  STAFF  DIVISIONS 


Operating  Divisions: 

Public  Health  Service 
Social  Security  Administration 
Health  Care  Financing  Administration 
Office  of  Human  Development  Services 
Office  of  Community  Services 


Staff  Divisions: 

Office  of  the  Assistant  Secretary 
Office  of  the  Assistant  Secretary 
Evaluation 

Office  of  the  Assistant  Secretary 
Administration 

Office  of  the  General  Counsel 
Office  of  the  Inspector  General 
Office  of  Civil  Rights 
Office  of  the  Under  Secretary  for 
Office  of  the  Assistant  Secretary 
Office  of  the  Assistant  Secretary 
Budget 

Immediate  Office  of  the  Secretary 


for  Legislation 
for  Planning  and 

for  Personnel 


Intragovernmental  Affairs 
for  Public  Welfare 
for  Management  and 


l; 


APPENDIX  II 


APPENDIX  II 


DEPARTMENT  OF 
HEALTH  AND  HUMAN  SERVICES* 

16  INTERNAL  CONTROL  FUNCTIONAL  AREAS 


General  Policy  and  Direction  -  This  function  encompasses  the 
communication  by  management  of  its  programmatic  objectives  and 
responsibilities,  as  well  as  the  policies  and  procedures  to  be 
employed  in  obtaining  the  desired  results.  This  includes  man¬ 
agement's  formal  plan  of  organization. 

Budget  Planning  and  Formulation  -  This  function  encompasses  bud¬ 
get  planning  and  formulation  for  an  organization.  This  includes 
policies  and  procedures  used  in  the  planning,  formulation,  and 
review  of  the  budget  of  an  organization. 

Cash  -  This  function  covers  all  actions  associated  with  cash 
transactions,  such  as  receipt,  safeguarding,  and  depositing  of 
cash,  checks,  money  orders,  and  negotiable  securities.  It  also 
covers  all  actions  associated  with  imprest  funds,  including  ad¬ 
vances  and  disbursements. 

Receivables,  Loans,  and  Advances  -  This  function  encompasses  all 
policies,  procedures,  and  operations  of  an  organization  for  con¬ 
trolling,  monitoring,  collecting,  and  accounting  for  all  receiv¬ 
ables,  loans,  and  advances  due  from  both  the  public  and  private 
sectors. 

Inventories  -  This  function  encompasses  all  policies,  proce¬ 
dures,  and  operations  for  controlling  and  managing  all  mate¬ 
rials,  supplies,  work-in-process,  and  finished  goods  used  in 
achieving  an  organization's  purpose  or  mission.  This  includes 
the  taking  of  physical  inventories,  physical  security  over 
stores  and  supplies,  and  the  maintenance  of  the  appropriate  ac¬ 
counting  records. 

Property,  Plant,  and  Equipment  -  This  function  includes  all 
policies,  procedures,  and  operations  for  the  acquisition, 
maintenance,  storage,  disposition,  and  physical  security  of  all 
property,  plant,  and  equipment  of  an  organization.  This  also 
includes  the  maintenance  of  the  appropriate  accounting  records. 

Payables  -  This  function  encompasses  all  aspects  of  handling  and 
accounting  for  the  various  types  of  liabilities  incurred  by  an 
organization  to  both  the  public  and  private  sectors.  This  area 
includes  vendor  billings,  voucher  packages,  purchase  orders, 
receiving  reports,  etc. 


41 


APPENDIX  II 


APPENDIX  II 


Budget  Execution,  Fund  Control,  and  Government  Equity  -  This 
function  encompasses  all  procedures  regarding  budget  execution, 
fund  control,  and  government  equity.  This  would  include  the  use 
of  budgetary  accounts  (appropriations,  apportionments,  allot¬ 
ments),  fund  control  accounts  (obligations,  commitments),  and 
government  equity  accounts  (expended  funds,  earned  and  estimated 
reimbursements)  as  they  impact  on  an  organization. 

Sales  -  This  function  encompasses  all  policies  and  procedures 
for  the  sale  of  an  organization's  resources.  This  includes  all 
aspects  of  sales,  such  as  customer  orders,  billings,  shipping 
documents,  and  the  overall  accounting  treatment  of  the  proceeds 
from  different  types  of  sales. 

Procurement  and  Purchasing  -  This  function  covers  all  actions 
associated  with  the  process  employed  in  acquiring  goods  and 
services  from  both  the  private  sector  as  well  as  from  government 
entities.  The  span  of  control  covers  the  entire  cycle  from  the 
point  where  the  initial  request  for  goods  or  services  is  made 
until  the  final  action  is  taken  and  payment  is  authorized. 

Personnel  -  This  function  encompasses  the  entire  federal  person- 
nel  system  as  it  impacts  on  the  organization.  This  includes 
three  discrete  areas:  (1)  personnel  administration  which  is 
performed  by  servicing  personnel  offices,  or  staff  offices  that 
issue  policies  and  procedures  to  direct  servicing  personnel 
offices;  (2)  personnel  management  which  is  performed  by  various 
levels  of  the  management  chain  of  command;  and  (3)  time,  attend¬ 
ance,  and  payroll  functions  that  are  performed  within  the  organ¬ 
ization. 

Travel  -  This  function  includes  all  travel  policies  and  proce- 
dures  of  an  organization  and  also  covers  all  travel  performed  by 
members  of  an  organization.  Travel  procedures  encompass  the  use 
of  travel  orders,  travel  advances,  vouchers,  and  liquidation  of 
outstanding  travel  advances. 

Grants  (discretionary  and  formula)  -  This  function  includes  the 
entire  grants  process,  from  the  development  of  policies  and  pro¬ 
cedures  to  all  operational  aspects  of  grantee  selection,  award, 
administration,  management,  evaluation,  and  the  processes  asso¬ 
ciated  with  grant  closure  and/or  accountability. 

Subsidies,  Entitlements,  and  Benefit  Payments  -  This  function 
encompasses  all  policies,  procedures,  and  operations  for  con¬ 
trolling  and  accounting  for  subsidies,  entitlements,  and  benefit 
payments  administered  by  an  organization.  This  includes  the 


42 


APPENDIX  II 


APPENDIX  II 


entire  process  from  the  time  an  applicant  applies  for  benefits 
until  the  time  that  payment  to  the  applicant  is  initiated  or 
other  final  disposition  of  the  application. 

Automatic  Data  Processing  -  This  function  encompasses  all  as- 
pects  of  automatic  data  processing  (ADP)  for  an  organization. 
This  area  includes  physical  controls  over  computer  hardware  and 
software,  as  well  as  all  policies  and  procedures  for  operating 
ADP  systems.  This  also  includes  systems  documentation,  operat¬ 
ing  logs  and  controls,  file  protection  and  retention,  input  con¬ 
trols,  output  controls,  and  program  controls. 

Records  Systems  -  This  function  encompasses  records  systems, 
such  as  the  Earnings  Records  System  maintained  by  the  Social 
Security  Administration.  This  area  includes  all  records  systems 
where  information  is  queried  to  determine  applicant  eligibility 
for  program  assistance  or  of  a  nature  restricted  by  the  Privacy 
Act . 


43 


APPENDIX  III 


APPEND' X  III 


DEPARTMENT  Of  HEALTH  AND  HUMAN  SERVICES 
VULNERABILITY  ASSESSMENT  MODEL 
Internal  Control  Function: 

0P01V/STAFFDIV:  _ _ 

Organizational  Component: 

Organizational  Laval _  Organizational  Coda 

Organizational  Nana 


RANKING  FACTORS  POINT  VALUE 

A.  Results  of  Audita 

1.  Favorable 

2.  Advisory 

3.  Negative  _ 

B.  Interval  Since  Most  Recent 

Audit  “ 

1.  Less  than  1  year 

2.  One  to  Three  Years 

3.  More  than  Theaa  Years  _ 


C.  Impact  of  Recent  Errors  or 
Irregularities 

1.  Nona 

2.  Personal  Hane/Enbarrassaiant 

3.  Monetary  Loss/Pol Icy  Change 

D.  Access  to  Cash/Negotlable 
Instrument 

1.  NO  Access 

2.  Limited  Access 

3.  Extensive  Access 


E.  Existence  of  Internal  Control 
?roce3ures  — — 

1.  Extensive 

2.  Moderate 

3.  None 


F.  Physical  Security 

1.  none  Required** 

2.  Required  by  Program 

3.  Required  by  Regulatl on/Law 

6.  Risks  From  Internal 
influences 

1.  No  Potential  Risk 

2.  Moderate  Potential  Risk 

3.  Extensive  Potential  Risk 


■ 


44 


APPENDIX  III 


APPENDIX  III 


banking  factors 

N.  ftlski  from  External  Influences 

1.  No  Potential  risk 

2.  Moderate  Potential  Risk 

3.  Extensive  Potential  Risk 

I.  Policy  Direction 

1.  usually  written 

2.  Occasionally  Written 

3.  Rarely  Written 

J.  Recent  Changes  In  Program 
"Control  or  Resource  Level 

1.  Less  tnan  IB?  increase  or 
decrease 

2.  20  to  Zil  increete  or 
decrease 

3.  More  than  2S3  Increase  or 
decrease 

(Include  new  program  or 
phase  out) 

K.  Other 


POINT  VALUE 


TOTAL  POINT  VALUE 


Total  Point  Value 


Hunter  of  Rating  Factors  Used 


=  Point  Value  Average 


Vulnerability  Assessment  Rating 


Point  Value  Average  Scale 


Decree  of  Vulnerablllt 


PREPARED  IT 


APPROVED  BY  ICO: 
NAME: 

OATE: 


APPENDIX  V 


APPENDIX  V 


EXAMPLES  OF  MATERIAL  WEAKNESSES  AND 
CORRECTIVE  MEASURES  REPORTED  BY  HHS 


FUNCTION:  General  Policy  and  Direction 

Total  number  of  Internal  control  reviews  conducted:  10 
Total  number  of  material  weaknesses:  11 
Examples  of  material  weaknesses : 

—The  HHS  General  Administration  Manual  chapters  on  con¬ 
trolling  paperwork  burden  are  out-of-date  and  need  to  be 
revised  to  incorporate  new  procedures  and  terminology. 

The  Office  of  the  Assistant  Secretary  for  Management  and 
Budget  is  drafting  revised  chapters. 

— In  HHS'  Philadelphia  regional  office,  supervisory  staff 
in  the  Office  of  Inspector  General,  Office  of  Audit,  ap¬ 
proved  and  signed  travel  vouchers  and  time  cards  without 
delegated  authorization  to  do  so.  Corrective  action  was 
scheduled  to  make  appropriate  delegations  of  authority. 

FUNCTION:  Budget  Execution,  Fund  Control,  and  Government  Equity 
Total  number  of  internal  control  reviews  conducted:  5 
Total  number  of  material  weaknesses :  1 

Material  weakness: 

—The  OIG,  Office  of  Investigations,  in  HHS’  Philadelphia 
regional  office  had  not  filed  with  the  Administrative 
Services  Division  the  designation  of  who  can  sign  pur¬ 
chase  requisitions.  Corrective  action  was  scheduled. 

FUNCTION:  Cash 


Total  number  of  internal  control  reviews  conducted:  337 
Total  number  of  material  weaknesses:  32 
Examples  of  material  weaknesses: 

—The  Public  Health  Service,  Health  Resources  and  Services 
Administration,  made  duplicate,  over-,  and  improper  pay¬ 
ments  to  providers  of  health  care  to  Cuban  and  Haitian 


APPENDIX  V 


APPENDIX  V 


refugees.  Completion  of  corrective  action  is  scheduled 
by  April  1,  1984. 

— Financial  management  procedures  at  the  Office  of  Human 
Development  Services  permitted  grantees  to  maintain  ex¬ 
cessive  cash  balances.  As  a  result,  the  federal  govern¬ 
ment  incurred  unnecessary  interest  costs.  A  new  cash 
management  system  has  significantly  improved  cash  manage¬ 
ment  procedures.  The  system  requires  grantees  to  submit 
timely,  complete,  and  accurate  cash  transaction  reports, 
upon  penalty  of  withholding  cash  advances  if  they  do  not, 
and  to  indicate  their  current  cash  needs. 

— Federal  interest  costs  for  fiscal  years  1981  and  1982 
could  have  been  reduced  at  least  $1.6  million  if  all 
eligible  grantees  were  funded  through  letters  of  credit 
rather  than  periodic  Treasury  checks.  To  correct  this 
situation,  ASMB  lifted  a  moratorium  on  new  letters  of 
credit  in  fiscal  year  1983. 

FUNCTION:  Records  Systems 

Total  number  of  internal  control  reviews  conducted:  6 
Total  number  of  material  weaknesses:  1 
Material  weakness: 

— In  the  OIG,  Office  of  Investigations,  Philadelphia  re¬ 
gional  office,  open  and  closed  case  files  contained  notes 
which  should  not  be  in  the  file  folder  itself,  but  placed 
in  a  related  envelope.  Corrective  action  was  scheduled. 

FUNCTION:  Receivables,  Loans,  and  Advances 

Total  number  of  internal  control  reviews  conducted:  117 
Total  number  of  material  weaknesses:  68 
Examples  of  material  weaknesses: 

— A  Public  Health  Service  regional  office  had  no  system  in 
place  to  assure  review  of  the  credit  worthiness  of  appli¬ 
cants  for  National  Health  Service  Corps  loans.  An  offi¬ 
cial  in  each  region  will  be  designated  to  assure  that 
appropriate  reviews  are  made. 


48 


.jfStm 


APPENDIX  V 


APPENDIX  V 


— Public  Health  Service,  National  Health  Service  Corps 
Site  Loans  did  not  contain  any  reference  to  interest  or 
penalty  for  late  payments.  Procedures  were  issued  to 
require  such  references. 

— In  the  Public  Health  Service,  Health  Resources  and  Serv 
ices  Administration,  the  same  person  who  approved  loans 
had  authority  to  waive  interest  and  principal  payments. 
The  person's  authority  to  waive  interest  and  principal 
payments  will  be  rescinded  to  conform  with  appropriate 
separation  of  duties. 

FUNCTIONS  Travel 


Total  number  of  internal  control  reviews  conducted:  8 
Total  number  of  material  weaknesses:  2 
Material  weaknesses: 

— In  HHS 1  Boston  regional  office,  the  OIG,  Office  of  Health 
Financing  Integrity,  processed  Blanket  Travel  Orders 
without  meeting  requirements  for  an  established  length  of 
travel  or  number  of  trips  per  month  for  each  staff. 
Corrective  action  was  taken  to  adhere  to  the  established 
criteria. 

— In  HHS'  Boston  regional  office,  no  daily  travel  log  was 
kept  to  maintain  adequate  control  over  four  General  Serv¬ 
ices  Administration  cars  assigned  to  the  OIG,  Office  of 
Investigations.  To  correct  this  weakness,  a  formal  di¬ 
rective  was  issued  which  requires  all  special  agents  to 
use  locator  cards,  and  to  contact  the  office  daily  when 
on  travel. 

FUNCTION:  Procurement  and  Purchasing 

Total  number  of  internal  control  reviews  conducted:  262 
Total  number  of  material  weaknesses:  12 
Examples  of  material  weaknesses: 

—At  St.  Elizabeths  Hospital,  several  audits  led  to  the 
withdrawal  of  negotiated  procurement  authority  in  January 
1983.  The  hospital's  procurement  section  was  insuffici¬ 
ently  staffed  to  carry  out  the  procurement  and  purchasing 
workload.  Steps  have  been  taken  to  insure  that  staffing 
is  consistent  with  the  workload. 


49 


APPENDIX  V 


APPENDIX  V 


—In  the  OIG,  Office  of  Health  Financing  Integrity,  New 
York  regional  office,  telephone  toll-call  listings  were 
not  being  received  and  reviewed  timely  by  management  to 
insure  the  validity  of  toll  calls.  A  listing  had  not 
been  received  for  at  least  6  months.  Corrective  action 
was  scheduled . 

— In  the  OIG,  Office  of  Audit,  New  York  regional  office, 
the  "GSA  charge  plate"  was  maintained  in  an  unlocked  desk 
drawer.  Corrective  action  was  scheduled  to  secure  the 
charge  plate  in  a  locked  desk  or  cabinet  when  not  in  use. 

FUNCTION:  Payables 

Total  number  of  internal  control  reviews  conducted:  2 

Total  number  of  material  weaknesses:  1 

Material  weakness: 

— In  HHS 1  New  York  regional  office,  there  was  no  standard 
procedure  to  confirm  that  voucher  examiners  had  completed 
all  required  audit  steps  (e.g.,  checking  extensions, 
quantities,  distribution  of  charges)  prior  to  submission 
of  vouchers  for  payment.  To  correct  this  deficiency,  a 
stamped,  standard  legend  will  be  established  and  used  by 
all  voucher  examiners  to  indicate  completion  of  audit 
processes. 

FUNCTION:  Grants 


Total  number  of  internal  control  reviews  conducted:  2 
Total  number  of  material  weaknesses:  8 
Examples  of  material  weaknesses: 

— A  policy  of  withholding  payments  to  grantees  delinquent 
in  submitting  their  financial  reports  should  be  adopted. 
Under  revised  procedures,  ASMB  implemented  a  policy  of 
withholding  payments  to  grantees  when  their  financial 
reports  are  delinquent. 

—The  Office  of  Human  Development  Services  did  not  include 
its  regional  offices  in  the  inventory  of  internal  con¬ 
trol  areas  in  the  functional  area  of  "discretionary 
grants."  It  was  assumed  that  this  would  be  covered  by 
the  Deputy  Under  Secretary  for  Intragovernmental  Affairs. 


APPENDIX  V 


APPENDIX  V 


Corrective  action  will  be  taken  to  include  the  regional 
offices  in  the  inventory  and  to  perform  vulnerability 
assessments  in  1984. 

FUNCTION:  Personnel 


Total  number  of  internal  control  reviews  conducted:  46 
Total  number  of  material  weaknesses:  39 
Examples  of  material  weaknesses: 

— At  the  Health  Care  Financing  Administration  timecards 
were  returned  to  the  timekeepers  after  supervisory  re¬ 
view.  Some  timekeepers  prepared  their  own  timecards.  A 
majority  of  supervisors  immediately  took  corrective 
action . 

— Office  of  the  General  Counsel  supervisory  personnel  and 
managers  did  not  know  which  employees  were  entitled  to 
overtime  under  the  Fair  Labor  Standards  Act.  Action  was 
taken  to  inform  the  supervisors  of  those  who  are  eligible 
for  overtime. 

— In  the  OIG,  Office  of  Audit,  Philadelphia  regional  of¬ 
fice,  undistributed  payroll  checks  were  kept  in  an  un¬ 
locked  file  cabinet.  Corrective  action  was  scheduled. 

FUNCTION:  Property,  Plant,  and  Equipment 

Total  number  of  internal  control  reviews  conducted:  11 
Total  number  of  material  weaknesses:  10 
Examples  of  material  weaknesses: 

— In  HHS'  Dallas  regional  office,  a  clear  separation  of 
duties  was  not  made  between  receiving  personal  property 
items,  recording  property  transactions,  and  procuring 
property  items.  Corrective  actions  were  underway  to 
clearly  define  and  assign  to  different  individuals  the 
separate  duties  of  receiving,  recording,  and  procuring 
personal  property  items. 

— In  HHS*  Philadelphia  regional  office,  small  easily  con¬ 
cealed  equipment  which  is  open  to  pilferage  was  not 
marked  with  identifying  numbers.  Corrective  action  was 
scheduled  to  mark  the  equipment  and  record  the  numbers  in 
an  office  inventory  record. 


51 


APPENDIX  V 


APPENDIX  V 


FUNCTION:  Automatic  Data  Processing  (ADP) 

Total  number  of  internal  control  reviews  conducted:  7 
Total  number  of  material  weaknesses:  19 
Examples  of  material  weaknesses: 

— The  Social  Security  Administration  does  not  have  a  backup 
arrangement  should  its  principal  data  center  facility  be 
destroyed  or  otherwise  become  inoperative  for  an  extended 
period  of  time.  Efforts  are  proceeding  to  develop  such 
backup  capacity. 

— One  of  the  Health  Care  Financing  Administration's  ADP 
facilities  is  located  in  a  building  that  has  insufficient 
space  and  power  supply  to  handle  a  large  ADP  operation. 

As  a  result,  there  is  frequent  downtime.  In  addition, 
there  are  no  security  personnel  on  duty  at  the  building. 
Thus,  during  working  hours  the  general  public  can  gain 
access  to  the  building.  Corrective  action  calls  for  mov¬ 
ing  the  facility  to  another  building  which  is  designed  to 
accommodate  an  ADP  operation.  There  may  not  be  suffi¬ 
cient  funds  to  provide  the  extent  of  guard  coverage  that 
is  desired. 


52 


APPENDIX  VI 


APPENDIX  VI 


MPABTMINT  Of  HEALTH  A  HUMAN  IUVICU 


OWat  o«  Irwpmar  Owwwl 


AM  If  BB4 


Mr.  Richard  L.  Fogel 
Director,  Human  Resources 
Division 

United  States  General 
Accounting  office 
Washington,  D.C.  20S48 

Dear  Mr.  Fogel: 

The  Secretary  asked  that  I  respond  to  your  request  for  the 
Department's  comments  on  your  draft  of  a  proposed  report, 
"The  Department  of  Health  and  Human  Services'  First-Year 
Implementation  of  the  Federal  Managers'  Financial  Integrity 
Act."  The  enclosed  comments  represent  the  tentative  posi¬ 
tion  of  the  Department  and  are  subject  to  reevaluation  when 
the  final  version  of  this  report  is  received. 

We  appreciate  the  opportunity  to  comment  of  this  draft 
report  before  its  publication. 


Sincerely  yours. 


Enclosure 


/£>Ricoard  P.  Kusserow 
^Inspector  General 


53 


APPENDIX  VI 


APPENDIX  VI 


COMMENTS  OF  THE  DEPARTMENT  OF  HEALTH  AND  HUMAN  SERVICES  ON  THE 
GENERAL  ACCOUNTING  OFFICE'S  DRAFT  REPORT.  “THE  DEPARTMENT  OF 
HEALTH  AND  HUMAN  SERVICES.  FIRST-YEAR  IMPLEMENTATION  OF  THE 
FEDERAL  MANAGERS"  FINANCIAL  INTEGRITY  ACT" 

General 

We  reviewed  the  subject  report  and  found  that,  taken  as  a  whole,  it 
represents  the  actions  taken  and/or  planned  to  be  taken  by  the  Department 
to  implement  the  Integrity  Act. 

We  note  that  the  General  Accounting  Office  (GAO)  recognized  that  many  of 
the  actions  pertaining  to  internal  controls  taken  to  date  by  the  Department 
were  either  completed  or  the  system  was  put  in  operation  prior  to  the 
issuance  of  the  Office  of  Management  and  Budget  (OMB)  guidelines.  The 
recommendations  made  by  GAO  basically  stem  from  a  comparison  of  the 
Department's  system  to  the  OMB  guidelines  and,  where  the  two  are  at 
variance,  GAO  recommends  that  we  amend  our  system  to  more  fully  comply 
with  the  guidelines.  This  in  essence  has  the  effect  of  placing  the  guide¬ 
lines  on  the  same  level  as  standards.  The  Department's  position  and  the 
OMB's  position  (as  stated  in  OMB's  draft  question  and  answer  booklet  on 
internal  control  systems)  continue  to  be  that  guidelines  are  permissive 
in  nature  thus  providing  management  a  high  degree  of  flexibility. 

The  report  also  recognizes  that  the  OMB  and  the  GAO  still  have  not  issued 
guidelines  pertaining  to  Section  4  of  the  Act,  Accounting  Systems  Reviews. 
GAO  notes  that  the  Department  took  the  initiative  by  developing  its  own 
policies  and  procedures  for  meeting  its  legal  obligations  and  used  them  in 
reviewing  all  eight  general  ledger  systems  and  both  payroll  systems. 

We  have  been  working  under  the  premise  that  any  new  system  should  be 
re-evaluated  after  it  has  been  in  operation  for  a  year  or  two.  Accord¬ 
ingly,  our  plans  called  for  evaluating  the  internal  controls  system  during 
the  first  calendar  quarter  of  1984.  This  objective  was  accomplished  in 
March  with  a  two  day  workshop  of  the  Deparment's  Internal  Control  Steering 
Committee  and  Internal  Control  Officers  from  the  operating  divisions 
and  major  staff  divisions  of  the  Department.  The  workshop  addressed  the 
Issues  raised  by  the  General  Accounting  Office  and  the  Office  of  Management 
and  Budget  as  well  as  by  HHS's  Office  of  Inspector  General. 


APPENDIX  VI 


APPENDIX  VI 


The  workshop  participants  concluded  that  the  system  should  be  modified 
to  assure  that  the  Intent  of  the  recomnendatlons  made  by  all  three 
Independent  audit  groups  are  accomplished.  The  Assistant  Secretary 
for  Management  and  Budget,  the  Department's  Internal  Control  Manager, 
concurs  with  these  conclusions  and  has  Instructed  the  Committee  Chairman 
to  analyze  how  to  best  Implement  the  recomnendatlons  and  -develop  a  time 
phased  action  plan  for  doing  so.  Some  of  the  recomnendatlons  can  be 
Implemented  in  the  very  near  future.  However,  some  of  the  recommenda¬ 
tions  are  very  complex  and  may  require  long  lead  time  extending  into  the 
next  cycle. 

Following  Is  the  Department's  response  to  each  recomnendatlon  contained 
in  the  GAO  report. 

1.  GAO  RECOMMENDATION 

We  recommend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Rudget  to  improve  HHS'  instructions  for  the  segmentation 
process  by  revising  its  list  of  agency  functions  to  include  all  signifi¬ 
cant  functions. 

DEPARTMENT  COMMENT 

We  concur.  A  complete  and  comprehensive  inventory  of  all  significant 
internal  control  functions  is  central  to  the  Department's  internal 
control  initiative.  The  existing  list  of  the  Department's  internal 
control  functions  is  currently  under  review  to  determine  in  what  ways 
it  can  be  expanded  to  Include  any  additional  significant  functions. 

We  intend  to  assure  that  all  functions  Identified  in  the  GAO  report  as 
well  as  the  A-76  program,  will  be  included  in  the  Department's  revised 
list  of  Internal  control  functional  areas  as  required  by  0MB  in  a  recent 
directive  to  the  Heads  of  Departments. 

2.  GAO  RECOMMENDATION 


We  recommend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  improve  HHS'  instructions  for  the  segmentation 
process  by  providing  additional  guidance  on  what  constitutes  a  "signficant 
responsibility"  so  that  a  more  consistent  interpretation  can  be  applied 
by  the  component  agencies. 

DEPARTMENT  COMMENT 


We  concur.  The  complexity  and  organizational  structure  of  the  Department 
requires  that  a  large  measure  of  flexibility  be  given  to  the  component 
agencies  In  determining  which  areas  of  their  organizations  should  be 
classified  as  having  "significant  responsibility"  for  Internal  controls. 
The  Department  designed  the  existing  policies  in  order  to  provide  that 
large  measure  of  flexibility  to  the  Department's  component  agencies.  In 
order  to  assure  that  the  term  "significant  responsibility"  Is  applied  on 
a  more  consistent  basis  throughout  the  Department,  we  Intend  to  provide 
our  component  agencies  with  the  necessary  additional  guidance  In  order  to 
meet  this  objective. 


APPENDIX  VI 


APPENDIX  VI 


3.  GAO  RECOMMENDATION 

Me  recommend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  Improve  HHS‘  Instructions  for  the  segmentation 
process  by  requiring  more  specific  descriptions  of  Its  Internal  control 
areas  so  that  the  scope  of  activities  included  will  be  clearly  stated  for 
purposes  of  performing  VAs  and  ICRs. 

DEPARTMENT  COMMENT 

Me  concur.  The  Department  Intends  to  review  In  detail  the  descriptions 
of  Its  Internal  control  functional  areas  with  the  objective  of  assuring 
that  the  scope  of  the  activities  within  each  function  provides  a  clear 
and  comprehensive  description  of  each  functional  area.  Revising  the 
description  of  the  Department's  list  of  Internal  control  functions  will 
assist  the  Department's  component  agencies  fn  obtaining  full  coverage  of 
their  operations  for  purposes  of  performing  VAs  and  ICRs. 


4.  GAO  RECOMMENDATION 


He  also  recomnend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  work  with  HCFA  ICO  staff  to  reevaluate  its 
segmentation  process  for  purposes  of  effectively  assessing  the  vulner¬ 
ability  of  the  Medicare  and  Medicaid  programs. 

DEPARTMENT  COMMENT 


We  concur.  The  Medicare  and  Medicaid  programs  administered  by  HCFA  are 
important  HHS  programs  over  which  strict  internal  controls  must  be 
maintained.  The  segmentation  process  for  purposes  of  effectively  assessing 
the  vulnerability  of  the  Medicare  and  Medicaid  programs  will  be  reviewed 
in  great  detail  to  determine  what  type  of  further  segmentation  is  warran¬ 
ted. 

5.  GAO  RECOMMENDATION 


Me  recommend  that  the  Secretary  require  the  Assistant  Secretary  for 
Management  and  Budget  to  develop  assessment  instruments  for  conducting 
VAs  which  Include  all  factors  0MB  considers  necessary  to  determine  the 
relative  vulnerability  of  each  Internal  control  area. 

DEPARTMENT  COMMENT 


Me  concur.  The  assessment  of  vulnerability  for  each  Internal  control 
area  Is  critical  In  terms  of  scheduling  ICRs  based  upon  relative  vulner¬ 
ability  and  In  terms  of  Identifying  weaknesses  which  require  Immediate 
corrective  actions.  It  Is  Important  to  recognize  that  all  of  HHS*  VAs 
were  conducted  using  an  assessment  Instrument  developed  prior  to  the 
Issuance  of  the  0MB  Guidelines. 

The  Department  Is  currently  reviewing  the  existing  vulnerability  assess¬ 
ment  policies  and  procedures  with  the  goal  of  revising  them  in  such  a 
manner  which  would  reflect  all  significant  factors  0MB  considers  necessary 
to  determine  the  relative  vulnerability  of  each  Internal  control  area. 

This  goal  may  be  accomplished  by  revisions  to  the  existing  vulnerability 
assessment  Instrument  or  by  development  of  a  new  assessment  instrument 
more  closely  aligned  with  the  0MB  Guidelines. 


APPENDIX  VI 


APPENDIX  VI 


6.  SAC  RECOMMENDATION 

Me  recommend  that  the  Secretary  require  the  Assistant  Secretary  for 
Management  and  Budget  to  require  a  written  explanation  of  the  rationale 
for  VA  scores.  The  explanation  should  be  sufficient  to  enable  an  indepen. 
dent  party  to  arrive  at  a  similar  rating  as  did  the  assessor.  It  should 
include  weaknesses  Identified  as  well  as  other  Information  necessary  for 
assuring  that  concerns  of  the  assessor  are  communicated  to  preparers  of 
ICRs  or  other  appropriate  personnel. 


DEPARTMENT  COMMENT 

Me  concur.  In  order  to  assist  an  Independent  party  In  arriving  at  a 
slmlllar  rating  as  did  the  assessor,  we  beVleve  It  would  be  beneficial  to 
provide  a  written  explanation  of  the  rationale  for  VA  scores.  The 
methodology  for  conducting  VAs  placed  the  responsibility  for  the  assess¬ 
ments  with  the  manager  most  closely  associated  with  the  Internal  control 
area  being  assesed.  As  such,  the  assessment  rating  accurately  reflects 
the  relative  vulnerability  of  each  Internal  control  area.  In  addition, 
the  ICO  at  each  of  the  Department's  component  agencies  exercises  authority 
over  the  final  assessment  to  insure  correctness,  reliability  and  accuracy. 
Nonetheless,  It  Is  recognized  that  written  explanations  of  the  rationale 
for  VA  scores  would  assist  Independent  parties  In  understanding  how  the 
results  of  the  ratings  were  obtained. 

7.  GAO  RECOMMENDATION 


Me  recomnend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  more  fully  consider  In  the  VA  process  weaknesses 
Identified  In  GAO  reports  and  reports  from  other  external  sources. 

DEPARTMENT  COMMENT 


Me  concur.  The  Department's  Internal  control  Initiative  encompasses  the 
correction  of  all  Internal  control  weaknesses  whether  Identified  through 
VAs,  ICRs,  GAO  reports  or  reports  from  other  external  sources.  Me 
Intend  to  review  our  existing  VA  policies  and  procedures  to  determine  the 
appropriate  steps  which  must  be  taken  to  assure  that  the  VA  process 
specifically  Includes  and  addresses  weaknesses  Identified  In  GAO  reports 
and  reports  from  other  external  sources.  Mhlle  weaknesses  Identified  In 
such  reports  are  certainly  considered  in  the  existing  VA  process,  focusing 
additional  attention  on  such  weaknesses  can  only  serve  to  strengthen  the 
Department's  overall  Internal  control  Initiative. 


\ 

t- 


APPENDIX  VI 


APPENDIX  VI 


8.  GAO  RECOMMENDATION 

We  recommend  that  the  Secretary  require  the  Assistant  Secretary  for 
Management  and  Budget  to  require  that  weaknesses  Identified  during  the  VA 
process  be  documented  and  entered  Into  the  HHS  system  for  tracking 
Internal  control  weaknesses,  followed  up,  and  considered  for  Inclusion  In 
the  annual  report  to  the  President  and  the  Congress. 

DEPARTMENT  COMMENT 

We  concur.  The  Department  is  currently  evaluating  the  eqtlre  VA  process 
focusing  on  ways  to  streamline  the  process  while  making  It  more  compre¬ 
hensive.  Departmental  procedures  already  require  that  weaknesses  Identi¬ 
fied  during  the  VA  process  which  require  Immediate  corrective  actions  be 
brought  to  the  attention  of  management.  W^ Intend  to  review  our  existing 
VA  policies  and  procedures  to  determine  feasibility  of  documenting 
Identified  weaknesses,  entering  such  weaknesses  Into  the  Internal  Control 
Tracking  System  (ICTS).  We  also  Intend  to  evaluate  to  what  extent  weaknesses 
Identified  In  the  VA  process  should  be  Included  In  the  annual  report  to 
the  President  and  Congress. 

9.  GAO  RECOMMENDATION 

We  recommend  that  the  Secretary  require  the  Assistant  Secretary  for 
Management  and  Budget  to  provide  VA  preparers  the  necessary  background 
Information,  training,  and  time  to  complete  meaningful  assessments. 

DEPARTMENT  COMMENT 

We  concur.  Prom  the  Inception  of  the  Internal  control  Initiative,  the 
Department  has  gone  to  great  lengths  to  assure  that  VA  preparers  have 
the  necessary  background  Information,  training  and  time  to  complete 
meaningful  assessments.  While  the  Department  has  minimal  control  over 
the  timing  of  the  assessments  {currently  required  to  be  conducted  bienni¬ 
ally  by  0MB  Circular  A-123),  we  are  currently  In  the  process  of  reviewing 
the  VA  policies  and  procedures  to  determine  what  steps  can  be  taken  In 
terms  of  providing  additional  training  and  background  Information. 

Generally,  all  of  the  Department's  component  agencies  have  responsibility 
for  training  their  own  VA  preparers. 

10.  GAO  RECOMMENDATION 


We  recommend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  revise  departmental  Instructions  to  require  ICRs 
that  either  Include  all  the  steps  contained  In  OMB's  guidelines  for  ICRs 
or  meet  the  objectives  of  those  steps. 

DEPARTMENT  COMMENT 

We  concur.  It  has  always  been  the  Department's  Intent  to  comply  with  the 
0MB  Guidelines  In  such  a  manner  that  would  Include  all  the  steps  contained 
In  0MB  Guidelines  for  ICRs  as  well  as  meet  the  objectives  of  those 
steps. 

The  existing  policies  end  procedures  for  conducting  ICRs  will  be  reviewed 
and  evaluated  In  great  detail  with  the  goal  of  revising  such  policies 
and  procedures  to  Incorporate  all  the  steps  and  objectives  for  ICRs  as 
contained  In  the  0MB  Guidelines. 


58 


APPENDIX  VI 


APPENDIX  VI 


11.  GAO  RECOMMENDATION 

We  recommend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  monitor  review  documentation  of  all  component 
agencies  to  determine  compliance  with  HHS  requirements. 

DEPARTMENT  RESPONSE 

We  concur.  Compliance  with  the  Department's  requirements  for  conducting 
ICRs  Is  central  as  well  as  critical  to  the  review  process.  The  existing 
policies  and  procedures  place  significant  responsibility  on  the  ICOs  at 
the  Department's  component  agencies  to  assure  that  adequate  review 
documentation  Is  developed  and  maintained  for  each  ICR.  The  Department 
has  acted  In  an  oversight  role. 


12.  GAO  RECOMMENDATION 


We  recommend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  emphasize  to  all  component  agencies,  through 
such  means  as  training  or  monitoring,  the  importance  of  adequately 
documenting  review  efforts. 

DEPARTMENT  COMMENT 

We  concur.  The  importance  of  adequately  documenting  review  efforts 
is  recognized  by  the  Department  as  one  of  the  most  important  procedures 
in  the  entire  internal  control  review  process. 

13.  GAO  RECOMMENDATION 


We  recommend  that  the  Secretary  require  the  Assistant  Secretary  for 
Management  and  Budget  to  (1)  provide  for  additional  training  on  and 
monitoring  of  the  segmentation,  VA,  and  ICR  processes,  and  (2)  revise  its 
ADP  security  program  to  meet  the  requirements  for  assessments  and  reviews 
under  0MB  guidelines  for  implementing  the  Financial  Integrity  Act. 

DEPARTMENT  COMMENT 

We  concur.  The  Department  is  a  strong  advocate  of  providing  additional 
training  on  and  monitoring  of  all  aspects  of  the  internal  control 
initiative. 

The  Department  has  already  drafted  policies  and  procedures  In  an  attempt 
to  dovetail  the  ADP  Security  program  with  the  requirements  of  the 
Integrity  Act.  This  process  Is  a  highly  technical  one  Involving  many 
complex  policies  and  procedures  as  well  as  complicated  and  confusing 
terminology.  However,  we  believe  that  the  Department's  efforts  to 
combine  the  ADP  security  program  with  the  requirements  of  the  Integrity 
Act  will  prove  to  be  a  successful  undertaking. 


APPENDIX  VI 


APPENDIX  VI 


14.  640  RECOMIgNOATION 

In  addition,  «*  recommend  that  tha  Secretary  require  that  Internal 
control  weaknesses  Identified  by  016,  6A0,  and  others  outside  tha 
Internal  control  evaluation  process  be  recorded,  tracked,  and  if  con- 
sldered  Material ,  Included  In  annual  report  to  the  President  and  the 
Congress. 

DEPARTMENT  COMMENT 

Me  concur.  As  Indicated  before.  It  Is  the  Department's  position  that 
all  Internal  control  weaknesses  be  corrected  regardless  of  whether 
such  weaknesses  were  identified  by  016,  6A0  or  other  external  sources. 
Me  Intend  to  review  our  existing  procedures  for  recording,  tracking 
and  reporting  material  weaknesses.  It  nay  well  be  that  a  coordination 
effort  with  the  016  would  help  a  great  deal-in  terms  of  Identifying 
tracking  and  reporting  Internal  control  weaknesses  from  sources  outside 
the  Internal  control  process. 


15.  GAO  PE COMMEND ATI QW 


Ue  recommend  that  the  Secretary  direct  the  Assistant  Secretary  for 
Management  and  Budget  to  take  steps  necessary  to  ensure  that  future 
reviews  of  accounting  systems  Include  adequate  testing  and  documentation 
of  review  procedures.  Steps  which  could  be  taken  include  (1)  publishing 
additional  instructions  on  the  degree,  types,  and  completeness  of 
testing  and  documentation  required,  (?)  providing  training  to  personnel 
performing  accounting  systems  reviews  to  make  sure  they  understand 
what  Is  expected  of  them  regarding  testing  and  documentation,  and 
(3)  performing  additional  monitoring  of  the  procedures  used  during 
accounting  systems  reviews  to  determine  the  adequacy  of  the  testing, 
verification,  and  documentation  of  results. 


DEPARTMENT  COWCNT 


We  concur.  In  torms  of  publishing  additional  policies  and  procedures. 

It  should  be  recognized  that  neither  0MB  nor  GAO  have  as  yet  Issued  their 
guidelines  for  conducting  accounting  systems  reviews.  The  existing 
procedures  for  reviewing  accounting  systems  were  developed  by  the 
Department  and  Implemented  In  an  effort  to  meet  the  requirements  of 
the  Integrity  Act.  It  Is  significant  to  note  that  eight  other 
Departments  and  Agencies  used  HHS's  procedures  (with  little  or  no 
modification).  HNS  would  prefer  to  obtain  the  official  review  procedures 
prior  to  Issuing  any  additional  Instructions  to  Its  component  agencies. 


60 


APPENDIX  VI 


APPENDIX  VI 


16.  660  KECOWjEimWlWj 

In  addition,  we  recommend  that  the  Secretary  direct  the  Assistant  Secretary 
for  Management  and  Budget  to  evaluate  all  Instances  of  nonconformance 
with  the  Comptroller  fieneral's  accounting  principles  and  standards  that 
the  Department  is  aware  of  and  Include  those  that  are  considered  material 
In  future  annual  reports. 

DEPARTMENT  COMMENT 


Me  concur.  The  Department  Is  strongly  committed  to  Identifying  and 
correcting  all  instances  of  nonconformance  with  the  Comptroller  General's 
principles  and  standards.  Me  Intend  to  revise  existing  procedures 
to  assure  that  all  such  Instances  of  nonconformance  are  evaluated  and, 
where  appropriate.  Included  In  future  annual  reports  to  the  President 
and  Congress. 


(203503) 


